[erlang-questions] Security scanning tools for Erlang?
Thu Oct 27 07:15:28 CEST 2016
I think the difficulty here is defining what such a tool would ever evaluate.
Erlang is memory safe, so the myriad of tooling for C just doesn't make sense. If you look at static analysis tools for languages like PHP, you're looking at things like unsafe use of MySQL_query(). static analysis tools for Ruby basically look for poor use of the Rails framework. Except such a thing isn't part of the standard library in Erlang, and it would be infeasible for a security scanner to "just work" with the myriad of requirements of various third party libraries. I've used Fortify, and I cannot think of a single thing it actually detects on any platform that would be relevant to the Erlang standard library.
I appreciate having a directive handed down like this requires just doing something, so I would suggest:
* dialyzer, whilst not being directly targeted at security, can identify programming bugs which may well be security issues.
* Proper and related tools can identify unexpected behaviour, which in turn can be considered a security analysis
* Assuming you have a web API of some description, utilising something like ZAP to approach that as a black box web application can be an effective measure.
From: erlang-questions-bounces@REDACTED <erlang-questions-bounces@REDACTED> on behalf of Marco Molteni <marco.molteni@REDACTED>
Sent: Thursday, 27 October 2016 5:13:22 AM
Subject: Re: [erlang-questions] Security scanning tools for Erlang?
I am not aware of any static analysis tool for Erlang.
On the other hand, there are tools that are language-agnostic and that look at the attack surface from the network and I/O point of view.
For example, peach the fuzzer (commercial), scapy (lower-level, requires to customize, open source), american fuzzy loop (open source) and many others.
Or, although not a security tool, the very advanced concolic testing tool by Kostis, CutEr (see recent presentations at Erlang Factory).
I understand all the propositions in the list above require way more time to setup than a static analysis tool. On the other hand, I think they are very important if one _really_ cares about security.
> On 26 Oct 2016, at 19:23, Garry Hodgson <garry@REDACTED> wrote:
> We are using Erlang for some specialized components in a much larger system. That system now requires that all code must be scanned using an automated tool (e.g. HP's Fortify) that looks for security issues. Fortify does not handle Erlang, and has no plans to do so. Does anyone know of any commercial or Open Source security scanning tools for Erlang code?
erlang-questions mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions