Resources
Tools
Static analysis:
- Dialyzer - DIscrepancy AnaLYZer for ERlang programs, using the concept of success typings
- Sobelow - Security-focused static analysis for the Phoenix Framework
- Credo - A static code analysis tool for the Elixir language with a focus on code consistency and teaching
Documentation
Anti-patterns in Elixir
The Elixir documentation includes a section on https://hexdocs.pm/elixir/main/what-anti-patterns.html: common mistakes or indicators of potential problems in code. The unintended behaviours caused by such mistakes or problems may lead to vulnerabilities. Getting familiar with these anti-patterns and learning to avoid them can help produce cleaner code, fewer bugs, fewer surpises and therefore fewer vulnerabilities.
For instance, the https://hexdocs.pm/elixir/main/code-anti-patterns.html#non-assertive-truthiness anti-pattern can lead to logic errors in authentication or authorization checks.
Other documentation
Web development, e.g. with Cowboy, Plug and/or Phoenix:
- OWASP:
- Secure Coding Practices
- Cheat Sheet Series
- And more…
- Plug HTTPS guide and the “Using SSL” section in Phoenix Endpoint Guide
Deployment:
- CIS Benchmarks:
- Operating systems
- Databases
- Reverse proxies
- Container platforms
- Cloud environments
- And more…