voltone
Secure Coding and Deployment Hardening Guidelines
The EEF’s Security WG has released the first public draft of the Secure Coding and Deployment Hardening Guidelines for BEAM languages.
“Secure coding practices can help reduce vulnerabilities in software projects by steering programmers away from dangerous functions or patterns, and towards more robust alternatives. Deployment hardening is the process of reducing the attack surface of a production environment, e.g. by removing unused components and revising unsafe configurations.”
We welcome feedback and suggestions through the group’s GitHub repo.
Most Liked
voltone
Unfortunately this has been the documented behaviour of :ssl (and, by extension, :httpc) all along, so the OTP team does not consider this a vulnerability. It is important that everyone is aware of it, and I would highly recommend adding test cases to verify that connections fail when they should (e.g. using https://badssl.com) to any application that includes some sort of TLS client.
The fact that a CA trust store is not included is no real excuse for not setting {:verify, :verify_peer}. Ideally that would be the default, which would cause TLS clients to fail unless the caller passed in the :cacertfile/:cacerts option or explicitly disabled verification with {:verify, :verify_none}.
Exadra37
Congrats on what seems to be an excellent work, just by the quick lookup I made

LostKobrakai
I found this to be a good primer on secure ssl/httpc usage:
Maybe this would be a good resource to link to?







