[erlang-questions] Looking for the Secure Coding Guide

Juan Martín Guillén juanmartinguillen@REDACTED
Fri Mar 1 18:46:01 CET 2019

 Hi Eric,
Now I see what you are looking for.
You are right; Dialyzer, or any similar tool, would make a semantic static analysis on the source code and won't complain about input validations or that sort of things.
A tool that makes a security analysis similar to the link you sent would be something very different from that.
In fact, it would be something a software tool could only do partially IMHO.

Anyway, I don't know about any tool that does what you are needing, I'm sorry.
Juan Martín.

   El viernes, 1 de marzo de 2019 14:04:31 ART, eric@REDACTED <eric@REDACTED> escribió: 
 Hi Juan,

Thanks for the links - I guess I'm trying to find something that 
operationalizes specifically for Erlang the OWASP guidance found here 
(Yes, I'm aware that not all of this applies to Erlang, but where it 
does apply, is there guidance around how it should be operationalized in 
Erlang development?) - 

The documents you linked to touch on security while focusing on 
operational results (in my opinion) as did the document I linked to 
below; however, they don't focus on security. I'm looking for something 
that focuses specifically on security regardless of whether it makes 
coding easier or more difficult. In other words,

Regarding Dialyzer, I'm not sure that Dialyzer would call out something 
that is syntactically correct; however, unadvisable as it introduces 
risk to the information. It is syntactically correct to receive input 
without any input validation (this would not throw an error in the 
application); however, would Dialyzer provide an alert that input 
validation was not present (just a for instance)?

Thanks again,
Eric Svetcov

On 01.03.2019 10:30, Juan Martín Guillén wrote:
> Hi Eric,
> I am sure you would find these links useful:
> https://github.com/inaka/erlang_guidelines
> http://erlang.org/doc/man/dialyzer.html
> Juan Martín.
> El viernes, 1 de marzo de 2019 13:13:03 ART, eric@REDACTED
> <eric@REDACTED> escribió:
> I reviewed the docs page on the Erlang site
> (http://www.erlang.org/docs)
> and searched elsewhere and cannot find a secure coding guide (yes, I
> did
> find some secure coding recommendations - like "do not program
> defensively" - http://www.erlang.se/doc/programming_rules.shtml#HDR11,
> [1]
> but didn't find the advice compelling). So, does a secure coding guide
> exist exist and if so, could I get a copy of it? If one does not
> exist,
> is there something in development and when will it be available?
> Also, does anyone know if there is any type of static code assessment
> tool that exists to test for or verify adherence to the secure coding
> guide practices (again, presuming one exists)?
> Thanks for your help.
> Eric
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
> Links:
> ------
> [1] http://www.erlang.se/doc/programming_rules.shtml#HDR11,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190301/74a456bf/attachment.htm>

More information about the erlang-questions mailing list