“Secure coding practices can help reduce vulnerabilities in software projects by steering programmers away from dangerous functions or patterns, and towards more robust alternatives. Deployment hardening is the process of reducing the attack surface of a production environment, e.g. by removing unused components and revising unsafe configurations.”
I am still surprised that a CVE was not open by the author of that talks due to the :httpc module dangerous defaults of ignoring https certificates. We need to explicitly tell to check for them.
If I am not in mistake this vulnerability is not fixed yet, or is it?
Unfortunately this has been the documented behaviour of :ssl (and, by extension, :httpc) all along, so the OTP team does not consider this a vulnerability. It is important that everyone is aware of it, and I would highly recommend adding test cases to verify that connections fail when they should (e.g. using https://badssl.com) to any application that includes some sort of TLS client.
The fact that a CA trust store is not included is no real excuse for not setting {:verify, :verify_peer}. Ideally that would be the default, which would cause TLS clients to fail unless the caller passed in the :cacertfile/:cacerts option or explicitly disabled verification with {:verify, :verify_none}.
Well, I don’t get the value of using ssl when it it ignores SSL ceriticates, does from my point of view it’s a security vulnerability, despite being documented that the module doesn’t do what it’s name implies it does.
Announcement of the EEF Security Group’s Secure Coding and Deployment Hardening Guidelines at CodeBEAM SF 2020:
(That’s the full video, including the introductory 10 mins that were missing from a previous version)
This talk provides some background on where secure coding practices fit in a secure software development life cycle (SSDLC), and highlights some of the recommendations from the document.
I noticed the Installing section suggests using -g flag for compiling Erlang. I would imagine omitting debug symbols should generally increase security or be neutral, but definitely not increase it. What is the reasoning behind this recommendation?
Ah, that was not intentional, thanks for pointing it out. We just wanted to illustrate how the hardening flags need to be added to other flags the user might want to set. There is some more copy & paste weirdness going there.