realcorvus

A weekly Elixir security summary delivered to your inbox.

Today Paraxial.io 2.0 is live, delivering major improvements to help you secure your Elixir and Phoenix applications.

This document is to help you prevent a data breach due to your Elixir web application being hacked. It covers strategic and technical work that is the most relevant for organizations using Elixir and Phoenix.

https://paraxial.io/roadmap

A guide to using Sobelow to secure your Elixir application.

Secure your Phoenix application with this new guide from the EEF.

Go behind the scenes of Elixir's own PaaS

What are the business benefits of Elixir?

A recently published paper makes some misleading claims about Elixir security. How do they hold up?

When a new vulnerability is announced, do you know exactly what is running in production? Doing this is a pretty simple one-liner, but knowing how to do it correctly is extremely important.

Detect and stop hacking attempts at runtime. Exploit Guard is an open source RASP tool for Elixir, which monitors for remote code execution (RCE) attacks at runtime.

Thread safety issues lead to complex and high severity security bugs. Learn how Elixir's approach to concurrency eliminates this problem.

Paraxial.io now provides guidance on how to fix each Sobelow finding. This documentation is open source, to benefit the Elixir community.

How to test your Elixir application's reaction to a major crash.

Sobelow version 0.12.1 was released recently, adding support for HEEx templates, which are used in Phoenix LiveView. Sobelow is a static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues.

Misconfiguration of the Phoenix router can lead to CSRF via a GET request to your controller action. Learn more in this article.

Potion Shop is a Phoenix application vulnerable to common web security issues, such as RCE, XSS, and CSRF.

Tuesday, March 21, 4pm EST join the founder of Paraxial.io, Michael Lubas, for a live webinar on secure coding in Elixir.

Holden Oullette is the new maintainer of Sobelow, and is interested in security education for Elixir developers.

Did you know that Elixir functions with an arity of 2 implement the Enumerable protocol? That :erlang.binary_to_term/2 is not always safe? Learn more in this new post!

How to use the Hammer library to apply rate limiting to authentication routes in Phoenix.

Paraxial.io is an application security platform created for Elixir. This post details the motivation for focusing the company on Elixir.

Interested in Elixir and Phoenix security? Join the founder of Paraxial.io, Michael Lubas, for a live coding stream, “Preventing SQL Injection in Ecto”, Feb 15th.

Dependencies in a software project are a frequent source of security concern. The ability to detect outdated packages, and update to the latest version without breaking the project, is necessary for modern teams. In Elixir, dependencies are hosted by the Hex package manager, and managed by the Mix build tool. To better understand the ecosystem, let’s examine the different components in detail.

Paraxial.io can now scan your Elixir project for vulnerabilities, and records a detailed audit trail for your regulatory and compliance needs.

In Elixir, unrestricted atom creation is a denial of service vector. Learn how to find and prevent this vulnerability in your Phoenix apps!

With the rise of cloud computing, attackers now have access to a large pool of IPs at low cost. Learn how attackers are bypassing IP based rate limiting, and how Paraxial.io blocks this technique.

This post covers how a CSRF attack works, and the defaults Phoenix gives you to discourage writing vulnerable code.

There are a number of resources online related to Elixir and Phoenix security, however when it comes to securing your own project, determining where to begin is a difficult task. Here are five recommendations to get started improving the security of your application.

Have you had to deal with XSS vulnerabilities in an Elixir application? Walk through four different examples of vulnerable code in this blog post.