173: Web App Security Best Practices and Sobelow

ThinkingElixir.com — Tue, 17 Oct 2023 04:15:00 -0600

We delve into the tricky world of cybersecurity with our guest, Michael Lubas. We touch on the widely-discussed 23andMe data breach, discussing what went wrong and how it applies to Elixir apps. A significant part of our talk is centered around the informative guide by the EEF Security Working Group called “Web Application Security Best Practices for BEAM languages.” An essential tool featured in our discussion is Sobelow, a security-focused static code analysis tool invaluable in warding off potential security breaches. We wrap up the conversation by discussing the practical application of these tools, using Paraxial.io's vulnerable-by-design “Potion Shop” app as a case study to run Sobelow and practice fixing issues. Join us for an enlightening discussion packed full of important insights!

Show Notes online - http://podcast.thinkingelixir.com/173

Elixir Community News

https://github.com/phoenixframework/phoenix_live_view/pull/2845 – Information on the upcoming LiveView that speeds up client DOM patching 5x.
https://twitter.com/chris_mccord/status/1709681327019086044 – The post to further explain the upcoming LiveView.
https://twitter.com/josevalim/status/1709841186972705033 – José Valim's clarification on how LiveView's 5x DOM patching works.
https://twitter.com/wojtekmach/status/1709675064944144605 – Teaser about a cool new Req feature by Wojtek Mach.
https://twitter.com/wojtekmach/status/1710053454217887970 – Release note for Req v0.3.12 and v0.4.4 and encouragement to upgrade.
https://twitter.com/Tangui/status/1709645048906748378 – Announcement of a new HTTP Caching library called http_cache.
http://svground.fr/blog/posts/introducing-http-cache/ – Blog post that accompanies the release of the new HTTP Caching library.
https://github.com/tanguilp/plug_http_cache – plug_http_cache - An Elixir plug that caches HTTP responses.
https://github.com/tanguilp/tesla_http_cache – tesla_http_cache - HTTP caching Tesla middleware.
https://news.livebook.dev/remote-execution-smart-cell---launch-week-2---day-1-m3dv2 – Post about Day 1 of Livebook's launch week with information on the new feature.
https://twitter.com/thmsmlr/status/1709309268183367901 – Announcement of Livebook Copilot by Thomas Millar.
https://github.com/thmsmlr/kino_copilot – kino_copilot - Livebook SmartCell that refactors code, generates SQL for data analysis, writes documentation, and generates dashboards.
https://twitter.com/hugobarauna/status/1709631824555573554 – Demonstration of Livebook voice transcription by Hugo Baraúna.
https://github.com/brainlid/langchain_demo – LangChain Demo project that includes an example of an Agent.
https://fly.io/phoenix-files/created-my-personal-ai-fitness-trainer-in-2-days/ – Blog post - Created my Personal AI Fitness Trainer in 2 Days
https://www.youtube.com/watch?v=AsfQNtoaB1M – YouTube video overview for AI Personal Fitness Trainer with demo
https://spawnfest.org/ – Information on SpawnFest, a 48-hour online software development contest.
https://codebeameurope.com/ – Information on CodeBEAM Europe event.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://www.wired.com/story/23andme-credential-stuffing-data-stolen/ – 23andMe breach
https://erlef.github.io/security-wg/web_app_security_best_practices_beam/ – Web Application Security Best Practices for BEAM languages - a guide from the EEF Security Working Group
https://paraxial.io/blog/real-sobelow – Elixir Security - Real World Sobelow
https://podcast.thinkingelixir.com/148 – Security Scanning our Apps with Sobelow
https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement – Why use Sobelow? The Equifax breach, $425 million penalty, was a remote code execution (RCE) vulnerability
https://paraxial.io/blog/elixir-rce – Understanding remote code execution (RCE) attacks in Elixir
https://paraxial.io/blog/potion-shop – Potion Shop
https://www.meetup.com/new-york-city-elixir/events/296705817/ – The NYC Elixir meetup
https://www.meetup.com/denver-erlang-elixir/ – Denver Elixir meetup

Guest Information

https://twitter.com/paraxialio – on Twitter
https://github.com/paraxialio/ – on Github
https://genserver.social/paraxial – on Fediverse
https://paraxial.io/blog/index – Blog
https://www.linkedin.com/company/paraxial-io – LinkedIn
https://www.youtube.com/@paraxial5874 – Paraxial YouTube channel

Find us online

Message the show - @ThinkingElixir
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel - @bernheisel
David Bernheisel on Fediverse - @dbern@genserver.social
Cade Ward - @cadebward
Cade Ward on Fediverse - @cadebward@genserver.social

148: Security Scanning our Apps with Sobelow

ThinkingElixir.com — Tue, 25 Apr 2023 04:15:00 -0600

We go deeper on the Sobelow library, a security-focused static analysis tool for Elixir and Phoenix apps. We talk with Griffin Byatt, the creator, and Holden Oullette, the new maintainer. We learn how and why the project was created, how it works, what it can and can't do, and how to use it in CI pipelines for continuous scanning. Sobelow is a cornerstone project in the community that checks a critical box for certification requirements which means we get to use Elixir when it might otherwise be a hard sell. Join us as we learn more about the project and the people behind it!

Show Notes online - http://podcast.thinkingelixir.com/148