Resources
Tools
Static analysis:
- Dialyzer - DIscrepancy AnaLYZer for ERlang programs, using the concept of success typings
- Sobelow - Security-focused static analysis for the Phoenix Framework
- Credo - A static code analysis tool for the Elixir language with a focus on code consistency and teaching
Documentation
Anti-patterns in Elixir
The Elixir documentation includes a section on anti-patterns: common mistakes or indicators of potential problems in code. The unintended behaviours caused by such mistakes or problems may lead to vulnerabilities. Getting familiar with these anti-patterns and learning to avoid them can help produce cleaner code, fewer bugs, fewer surpises and therefore fewer vulnerabilities.
For instance, the Non-assertive truthiness anti-pattern can lead to logic errors in authentication or authorization checks.
Other documentation
Web development, e.g. with Cowboy, Plug and/or Phoenix:
- OWASP:
- Secure Coding Practices
- Cheat Sheet Series
- And more…
- Plug HTTPS guide and the “Using SSL” section in Phoenix Endpoint Guide
Deployment:
- CIS Benchmarks:
- Operating systems
- Databases
- Reverse proxies
- Container platforms
- Cloud environments
- And more…