How can I do a security audit of my elixir code base? I have used sobelow static analysis.What are d/f Penetration testing tools for elixir if any. how can I improve security for my elixir application?
7 Likes
I work for Paraxial.io, and one of the services we offer is pentesting specifically for Elixir/Phoenix. Our methodology is black and white box, meaning I read the source code for customers to understand how the application works, and test it to find vulnerabilities. Using Sobelow is a great first step, however there’s not a pentesting tool specific to Elixir.
If you would like to learn how to do security assessments for Elixir, I’m also the author of Potion Shop, which is a vulnerable Elixir application to teach security - GitHub - securityelixir/potion_shop: A vulnerable Elixir and Phoenix application for learning web security
At the risk of too many self plugs, I also did a talk recently about learning Elixir security, which is up on Youtube now - Elixir Security - Michael Lubas - Elixir Meetup #18 - YouTube
Here’s the links from the slides:
- EEF Guidelines - Secure Coding and Deployment Hardening Guidelines | EEF Security WG
- Bram Verburg’s Blog - https://blog.voltone.net/
- Griffin Byatt’s Blog - https://gmb.is/
- Paraxial.io Blog - Elixir and Phoenix Application Security Platform
- Potion Shop - Security Elixir +5 · GitHub
- Sobelow - GitHub - nccgroup/sobelow: Security-focused static analysis for the Phoenix Framework
- Elixir Secure Coding Training - GitHub - podium/elixir-secure-coding: An interactive cybersecurity curriculum designed for enterprise use at software companies using Elixir
7 Likes
Wow! Awesome and really interesting compilation. I can’t wait to read, learn and apply 
Thank you very much, @realcorvus!
1 Like
