<html><head></head><body><div class="ydp74a1cf94yahoo-style-wrap" style="font-family:courier new, courier, monaco, monospace, sans-serif;font-size:16px;"><div></div>
<div>Hi Eric,</div><div><br></div><div>Now I see what you are looking for.</div><div><br></div><div>You are right; Dialyzer, or any similar tool, would make a semantic static analysis on the source code and won't complain about input validations or that sort of things.</div><div><br></div><div>A tool that makes a security analysis similar to the link you sent would be something very different from that.</div><div><br></div><div><span><span style="color: rgb(0, 0, 0); font-family: courier new, courier, monaco, monospace, sans-serif; font-size: 16px;">In fact, it would be something a software tool could only do partially IMHO.</span></span><br></div><div><br></div><div>Anyway, I don't know about any tool that does what you are needing, I'm sorry.</div><div><br></div><div>Juan Martín.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div>
</div><div id="ydpdef64f10yahoo_quoted_2425605753" class="ydpdef64f10yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>El viernes, 1 de marzo de 2019 14:04:31 ART, eric@svetcov.com <eric@svetcov.com> escribió:</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">Hi Juan,<br clear="none"><br clear="none">Thanks for the links - I guess I'm trying to find something that <br clear="none">operationalizes specifically for Erlang the OWASP guidance found here <br clear="none">(Yes, I'm aware that not all of this applies to Erlang, but where it <br clear="none">does apply, is there guidance around how it should be operationalized in <br clear="none">Erlang development?) - <br clear="none"><a shape="rect" href="https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf" rel="nofollow" target="_blank">https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf</a><br clear="none"><br clear="none">The documents you linked to touch on security while focusing on <br clear="none">operational results (in my opinion) as did the document I linked to <br clear="none">below; however, they don't focus on security. I'm looking for something <br clear="none">that focuses specifically on security regardless of whether it makes <br clear="none">coding easier or more difficult. In other words,<br clear="none"><br clear="none">Regarding Dialyzer, I'm not sure that Dialyzer would call out something <br clear="none">that is syntactically correct; however, unadvisable as it introduces <br clear="none">risk to the information. It is syntactically correct to receive input <br clear="none">without any input validation (this would not throw an error in the <br clear="none">application); however, would Dialyzer provide an alert that input <br clear="none">validation was not present (just a for instance)?<br clear="none"><br clear="none">Thanks again,<br clear="none">Eric Svetcov<br clear="none"><div class="ydpdef64f10yqt4760705514" id="ydpdef64f10yqtfd05326"><br clear="none">On 01.03.2019 10:30, Juan Martín Guillén wrote:<br clear="none">> Hi Eric,<br clear="none">> <br clear="none">> I am sure you would find these links useful:<br clear="none">> <br clear="none">> <a shape="rect" href="https://github.com/inaka/erlang_guidelines" rel="nofollow" target="_blank">https://github.com/inaka/erlang_guidelines</a><br clear="none">> <br clear="none">> <a shape="rect" href="http://erlang.org/doc/man/dialyzer.html" rel="nofollow" target="_blank">http://erlang.org/doc/man/dialyzer.html</a><br clear="none">> <br clear="none">> Juan Martín.<br clear="none">> <br clear="none">> El viernes, 1 de marzo de 2019 13:13:03 ART, <a shape="rect" href="mailto:eric@svetcov.com" rel="nofollow" target="_blank">eric@svetcov.com</a><br clear="none">> <<a shape="rect" href="mailto:eric@svetcov.com" rel="nofollow" target="_blank">eric@svetcov.com</a>> escribió:<br clear="none">> <br clear="none">> I reviewed the docs page on the Erlang site<br clear="none">> (<a shape="rect" href="http://www.erlang.org/docs" rel="nofollow" target="_blank">http://www.erlang.org/docs</a>)<br clear="none">> <br clear="none">> and searched elsewhere and cannot find a secure coding guide (yes, I<br clear="none">> did<br clear="none">> <br clear="none">> find some secure coding recommendations - like "do not program<br clear="none">> <br clear="none">> defensively" - http://www.erlang.se/doc/programming_rules.shtml#HDR11,<br clear="none">> [1]<br clear="none">> <br clear="none">> but didn't find the advice compelling). So, does a secure coding guide<br clear="none">> <br clear="none">> <br clear="none">> exist exist and if so, could I get a copy of it? If one does not<br clear="none">> exist,<br clear="none">> <br clear="none">> is there something in development and when will it be available?<br clear="none">> <br clear="none">> Also, does anyone know if there is any type of static code assessment<br clear="none">> <br clear="none">> tool that exists to test for or verify adherence to the secure coding<br clear="none">> <br clear="none">> guide practices (again, presuming one exists)?<br clear="none">> <br clear="none">> Thanks for your help.<br clear="none">> <br clear="none">> Eric<br clear="none">> <br clear="none">> _______________________________________________<br clear="none">> <br clear="none">> erlang-questions mailing list<br clear="none">> <br clear="none">> <a shape="rect" href="mailto:erlang-questions@erlang.org" rel="nofollow" target="_blank">erlang-questions@erlang.org</a><br clear="none">> <br clear="none">> <a shape="rect" href="http://erlang.org/mailman/listinfo/erlang-questions" rel="nofollow" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a></div><br clear="none">> <br clear="none">> <br clear="none">> Links:<br clear="none">> ------<br clear="none">> [1] http://www.erlang.se/doc/programming_rules.shtml#HDR11,<div class="ydpdef64f10yqt4760705514" id="ydpdef64f10yqtfd94021"><br clear="none"></div></div></div>
</div>
</div></body></html>