[erlang-questions] Looking for the Secure Coding Guide
eric@REDACTED
eric@REDACTED
Fri Mar 1 18:04:30 CET 2019
Hi Juan,
Thanks for the links - I guess I'm trying to find something that
operationalizes specifically for Erlang the OWASP guidance found here
(Yes, I'm aware that not all of this applies to Erlang, but where it
does apply, is there guidance around how it should be operationalized in
Erlang development?) -
https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
The documents you linked to touch on security while focusing on
operational results (in my opinion) as did the document I linked to
below; however, they don't focus on security. I'm looking for something
that focuses specifically on security regardless of whether it makes
coding easier or more difficult. In other words,
Regarding Dialyzer, I'm not sure that Dialyzer would call out something
that is syntactically correct; however, unadvisable as it introduces
risk to the information. It is syntactically correct to receive input
without any input validation (this would not throw an error in the
application); however, would Dialyzer provide an alert that input
validation was not present (just a for instance)?
Thanks again,
Eric Svetcov
On 01.03.2019 10:30, Juan Martín Guillén wrote:
> Hi Eric,
>
> I am sure you would find these links useful:
>
> https://github.com/inaka/erlang_guidelines
>
> http://erlang.org/doc/man/dialyzer.html
>
> Juan Martín.
>
> El viernes, 1 de marzo de 2019 13:13:03 ART, eric@REDACTED
> <eric@REDACTED> escribió:
>
> I reviewed the docs page on the Erlang site
> (http://www.erlang.org/docs)
>
> and searched elsewhere and cannot find a secure coding guide (yes, I
> did
>
> find some secure coding recommendations - like "do not program
>
> defensively" - http://www.erlang.se/doc/programming_rules.shtml#HDR11,
> [1]
>
> but didn't find the advice compelling). So, does a secure coding guide
>
>
> exist exist and if so, could I get a copy of it? If one does not
> exist,
>
> is there something in development and when will it be available?
>
> Also, does anyone know if there is any type of static code assessment
>
> tool that exists to test for or verify adherence to the secure coding
>
> guide practices (again, presuming one exists)?
>
> Thanks for your help.
>
> Eric
>
> _______________________________________________
>
> erlang-questions mailing list
>
> erlang-questions@REDACTED
>
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
> Links:
> ------
> [1] http://www.erlang.se/doc/programming_rules.shtml#HDR11,
More information about the erlang-questions
mailing list