[erlang-questions] Looking for the Secure Coding Guide

eric@REDACTED eric@REDACTED
Fri Mar 1 19:14:10 CET 2019 

Hi Juan,

Thanks again for your response. I agree that no static code analysis 
tool is perfect. Anything that can partially mitigate a risk is better 
than no mitigation at all. Other than PEST and Dialyzer, I'm not finding 
anything specific for Erlang. I will see if there is anything at RSA 
next week (I'm not hopeful).

Regarding a document for secure coding techniques that addresses much of 
what is in the OWASP guidance would be helpful. I haven't found anything 
around that yet. Just the documents you mentioned below as well as a few 
others have little bits of security, but nothing comprehensive.

Thanks again for your help. Knowing that something isn't available is 
almost as good as having the document. At least I can now spend time 
figuring out how to address this and not try to look for something that 
doesn't exist.

Thanks this has been helpful,
Eric Svetcov

On 01.03.2019 11:46, Juan Martín Guillén wrote:
> Hi Eric,
> 
> Now I see what you are looking for.
> 
> You are right; Dialyzer, or any similar tool, would make a semantic
> static analysis on the source code and won't complain about input
> validations or that sort of things.
> 
> A tool that makes a security analysis similar to the link you sent
> would be something very different from that.
> 
> In fact, it would be something a software tool could only do partially
> IMHO.
> 
> Anyway, I don't know about any tool that does what you are needing,
> I'm sorry.
> 
> Juan Martín.
> 
> El viernes, 1 de marzo de 2019 14:04:31 ART, eric@REDACTED
> <eric@REDACTED> escribió:
> 
> Hi Juan,
> 
> Thanks for the links - I guess I'm trying to find something that
> operationalizes specifically for Erlang the OWASP guidance found here
> (Yes, I'm aware that not all of this applies to Erlang, but where it
> does apply, is there guidance around how it should be operationalized
> in
> Erlang development?) -
> https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
> 
> The documents you linked to touch on security while focusing on
> operational results (in my opinion) as did the document I linked to
> below; however, they don't focus on security. I'm looking for
> something
> that focuses specifically on security regardless of whether it makes
> coding easier or more difficult. In other words,
> 
> Regarding Dialyzer, I'm not sure that Dialyzer would call out
> something
> that is syntactically correct; however, unadvisable as it introduces
> risk to the information. It is syntactically correct to receive input
> without any input validation (this would not throw an error in the
> application); however, would Dialyzer provide an alert that input
> validation was not present (just a for instance)?
> 
> Thanks again,
> Eric Svetcov
> 
> On 01.03.2019 10:30, Juan Martín Guillén wrote:
>> Hi Eric,
>> 
>> I am sure you would find these links useful:
>> 
>> https://github.com/inaka/erlang_guidelines
>> 
>> http://erlang.org/doc/man/dialyzer.html
>> 
>> Juan Martín.
>> 
>> El viernes, 1 de marzo de 2019 13:13:03 ART, eric@REDACTED
>> <eric@REDACTED> escribió:
>> 
>> I reviewed the docs page on the Erlang site
>> (http://www.erlang.org/docs)
>> 
>> and searched elsewhere and cannot find a secure coding guide (yes, I
>> did
>> 
>> find some secure coding recommendations - like "do not program
>> 
>> defensively" -
> http://www.erlang.se/doc/programming_rules.shtml#HDR11,
>> [1]
>> 
>> but didn't find the advice compelling). So, does a secure coding
> guide
>> 
>> 
>> exist exist and if so, could I get a copy of it? If one does not
>> exist,
>> 
>> is there something in development and when will it be available?
>> 
>> Also, does anyone know if there is any type of static code
> assessment
>> 
>> tool that exists to test for or verify adherence to the secure
> coding
>> 
>> guide practices (again, presuming one exists)?
>> 
>> Thanks for your help.
>> 
>> Eric
>> 
>> _______________________________________________
>> 
>> erlang-questions mailing list
>> 
>> erlang-questions@REDACTED
>> 
>> http://erlang.org/mailman/listinfo/erlang-questions
>> 
>> 
>> Links:
>> ------
>> [1] http://www.erlang.se/doc/programming_rules.shtml#HDR11,

More information about the erlang-questions mailing list