[erlang-questions] Looking for the Secure Coding Guide

Bob Gustafson bobgus@REDACTED
Sun Mar 3 05:44:33 CET 2019


I was reading the article 
"https://spectrum.ieee.org/computing/software/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them" 
when your email came up.

The article talks about the prize winner in the DARPA Cyber Grand 
Challenge of 2016. They won $2m for their automated bug finder and 
patcher. 6 other challengers did pretty well too.

Perhaps it was not written in Erlang and perhaps the challenge problems 
were not so asynchronous, but it is a good story and represents a 
milestone in automated bug finding. No source code necessary.

Bob G

On 3/1/19 12:14 PM, eric@REDACTED wrote:
> Hi Juan,
>
> Thanks again for your response. I agree that no static code analysis 
> tool is perfect. Anything that can partially mitigate a risk is better 
> than no mitigation at all. Other than PEST and Dialyzer, I'm not 
> finding anything specific for Erlang. I will see if there is anything 
> at RSA next week (I'm not hopeful).
>
> Regarding a document for secure coding techniques that addresses much 
> of what is in the OWASP guidance would be helpful. I haven't found 
> anything around that yet. Just the documents you mentioned below as 
> well as a few others have little bits of security, but nothing 
> comprehensive.
>
> Thanks again for your help. Knowing that something isn't available is 
> almost as good as having the document. At least I can now spend time 
> figuring out how to address this and not try to look for something 
> that doesn't exist.
>
> Thanks this has been helpful,
> Eric Svetcov
>
> On 01.03.2019 11:46, Juan Martín Guillén wrote:
>> Hi Eric,
>>
>> Now I see what you are looking for.
>>
>> You are right; Dialyzer, or any similar tool, would make a semantic
>> static analysis on the source code and won't complain about input
>> validations or that sort of things.
>>
>> A tool that makes a security analysis similar to the link you sent
>> would be something very different from that.
>>
>> In fact, it would be something a software tool could only do partially
>> IMHO.
>>
>> Anyway, I don't know about any tool that does what you are needing,
>> I'm sorry.
>>
>> Juan Martín.
>>
>> El viernes, 1 de marzo de 2019 14:04:31 ART, eric@REDACTED
>> <eric@REDACTED> escribió:
>>
>> Hi Juan,
>>
>> Thanks for the links - I guess I'm trying to find something that
>> operationalizes specifically for Erlang the OWASP guidance found here
>> (Yes, I'm aware that not all of this applies to Erlang, but where it
>> does apply, is there guidance around how it should be operationalized
>> in
>> Erlang development?) -
>> https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
>>
>> The documents you linked to touch on security while focusing on
>> operational results (in my opinion) as did the document I linked to
>> below; however, they don't focus on security. I'm looking for
>> something
>> that focuses specifically on security regardless of whether it makes
>> coding easier or more difficult. In other words,
>>
>> Regarding Dialyzer, I'm not sure that Dialyzer would call out
>> something
>> that is syntactically correct; however, unadvisable as it introduces
>> risk to the information. It is syntactically correct to receive input
>> without any input validation (this would not throw an error in the
>> application); however, would Dialyzer provide an alert that input
>> validation was not present (just a for instance)?
>>
>> Thanks again,
>> Eric Svetcov
>>
>> On 01.03.2019 10:30, Juan Martín Guillén wrote:
>>> Hi Eric,
>>>
>>> I am sure you would find these links useful:
>>>
>>> https://github.com/inaka/erlang_guidelines
>>>
>>> http://erlang.org/doc/man/dialyzer.html
>>>
>>> Juan Martín.
>>>
>>> El viernes, 1 de marzo de 2019 13:13:03 ART, eric@REDACTED
>>> <eric@REDACTED> escribió:
>>>
>>> I reviewed the docs page on the Erlang site
>>> (http://www.erlang.org/docs)
>>>
>>> and searched elsewhere and cannot find a secure coding guide (yes, I
>>> did
>>>
>>> find some secure coding recommendations - like "do not program
>>>
>>> defensively" -
>> http://www.erlang.se/doc/programming_rules.shtml#HDR11,
>>> [1]
>>>
>>> but didn't find the advice compelling). So, does a secure coding
>> guide
>>>
>>>
>>> exist exist and if so, could I get a copy of it? If one does not
>>> exist,
>>>
>>> is there something in development and when will it be available?
>>>
>>> Also, does anyone know if there is any type of static code
>> assessment
>>>
>>> tool that exists to test for or verify adherence to the secure
>> coding
>>>
>>> guide practices (again, presuming one exists)?
>>>
>>> Thanks for your help.
>>>
>>> Eric
>>>
>>> _______________________________________________
>>>
>>> erlang-questions mailing list
>>>
>>> erlang-questions@REDACTED
>>>
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>> Links:
>>> ------
>>> [1] http://www.erlang.se/doc/programming_rules.shtml#HDR11,
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list