Secure Coding and Deployment Hardening Guidelines

voltone · March 2, 2020, 7:05pm

The EEF’s Security WG has released the first public draft of the Secure Coding and Deployment Hardening Guidelines for BEAM languages.

“Secure coding practices can help reduce vulnerabilities in software projects by steering programmers away from dangerous functions or patterns, and towards more robust alternatives. Deployment hardening is the process of reducing the attack surface of a production environment, e.g. by removing unused components and revising unsafe configurations.”

We welcome feedback and suggestions through the group’s GitHub repo.

Exadra37 · March 2, 2020, 7:19pm

Congrats on what seems to be an excellent work, just by the quick lookup I made

pmangalakader · March 3, 2020, 5:17am

Fantastic!! The community never ceases to amaze me! Congrats to everyone who had played a role in this!

LostKobrakai · March 3, 2020, 9:19am

I found this to be a good primer on secure ssl/httpc usage:

Maybe this would be a good resource to link to?

Exadra37 · March 3, 2020, 10:22am

I am still surprised that a CVE was not open by the author of that talks due to the :httpc module dangerous defaults of ignoring https certificates. We need to explicitly tell to check for them.

If I am not in mistake this vulnerability is not fixed yet, or is it?

LostKobrakai · March 3, 2020, 10:40am

I’m not sure this is the topic to discuss if unsafe defaults due to not shipping certificates with erlang is a security vulnerability or not.

amnu3387 · March 3, 2020, 12:48pm

Haven’t read it all yet, but I think the idea of compiling these guidelines/hints is great.

amnu3387 · March 3, 2020, 2:08pm

typo on the 2nd last paragraph amaounts

voltone · March 9, 2020, 4:34pm

Unfortunately this has been the documented behaviour of :ssl (and, by extension, :httpc) all along, so the OTP team does not consider this a vulnerability. It is important that everyone is aware of it, and I would highly recommend adding test cases to verify that connections fail when they should (e.g. using https://badssl.com) to any application that includes some sort of TLS client.

The fact that a CA trust store is not included is no real excuse for not setting {:verify, :verify_peer}. Ideally that would be the default, which would cause TLS clients to fail unless the caller passed in the :cacertfile/:cacerts option or explicitly disabled verification with {:verify, :verify_none}.

Exadra37 · March 14, 2020, 6:25pm

Well, I don’t get the value of using ssl when it it ignores SSL ceriticates, does from my point of view it’s a security vulnerability, despite being documented that the module doesn’t do what it’s name implies it does.

voltone · May 10, 2020, 5:52am

Announcement of the EEF Security Group’s Secure Coding and Deployment Hardening Guidelines at CodeBEAM SF 2020:

(That’s the full video, including the introductory 10 mins that were missing from a previous version)

This talk provides some background on where secure coding practices fit in a secure software development life cycle (SSDLC), and highlights some of the recommendations from the document.

michalmuskala · May 10, 2020, 7:48pm

I noticed the Installing section suggests using -g flag for compiling Erlang. I would imagine omitting debug symbols should generally increase security or be neutral, but definitely not increase it. What is the reasoning behind this recommendation?

voltone · May 11, 2020, 5:36am

Ah, that was not intentional, thanks for pointing it out. We just wanted to illustrate how the hardening flags need to be added to other flags the user might want to set. There is some more copy & paste weirdness going there.

How’s this: https://github.com/erlef/security-wg/pull/15 ?

michalmuskala · May 11, 2020, 7:02pm

Looks good, thanks!