Elixir/Phoenix security considerations?

I’m learning Elixir and Phoenix now and really like it so far. However I started thinking of security.

What is the history of 0day-exploits for Phoenix (and Elixir) running on bandit or cowboy in production? Is it considered safe? Would it be a good/bad idea to introduce nginx as a reverse proxy? Any common pitfalls for a new developer where you can introduce weak points in your web-applications?

When searching on Google the only real thing I found was “:erlang.binary_to_term” which could be exploited. Is this something to worry about if you’re not using it explicitly in your code (but maybe the Phoenix framework uses it internally?).

I also found www.paraxial.io, which I guess is a paid service to find/prevent security issues in Elixir/Phoenix-applications. Maybe that could be a solution if you’re creating a commercial product, which I’m not doing at the moment.

You may want to check Sobelow which is open source and I think Paraxial is using it as a base. This is only static code analysis, of course.

3 Likes

The website of the EEF Security WG is also quite a good resource: EEF Security WG | Documentation, specifications and code from the Security Working Group of the Erlang Ecosystem Foundation

4 Likes