Mix.install([
{:grading_client, path: "#{__DIR__}/grading_client"},
:sobelow
])
:okJust like there's more to making software than just writing code, there's more to securing software than just reviewing code.
Part of the development lifecycle includes deploying code and it is here that we can institute automated tooling and tests to assist in the detection of insecurities and potentially prevent vulnerabilities from reach production whatsoever!
This module will cover over some of the automated processes you may see in a CI/CD pipeline and how they work at a high level. Important to note is most of these tools can be run in a number of different ways - meaning they don't have to be run in the CI/CD pipeline and instead can be run locally.
Sobelow is the de facto king of detecting Elixir Phoenix vulnerabilities.
Built in Elixir, for Elixir, by NCC Group - this tool will try to determine whether your codebase has a number of web vulnerabilities as well as the insecurites outlined in Module 5 - Elixir Security.
Install Sobelow and add it to your application dependencies or install it by following the instructions https://hexdocs.pm/sobelow/readme.html
Scan your project by running the following at a terminal in your project's root directory
$ mix sobelow
As a vulnerability scanner, there are multiple categories of vulnerabilities sobelow is capable of discovering and reporting on.
For instance, there are a number of security issues published on the Common Weakness Enumeration (CWE) site - CWE's and on OWASP Top 10 OWASP Top 10.
Scanning tools like Sobelow identify code patterns that match these issues and report them back to developers/users.
Let's say you are interested finding in places in your application that may be susceptible to injection attacks.
There are several types of injection. Referring to the CWE list, we see #17 CWE-77 for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the OWASP Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of security issues.
Injection vulnerabilities are places in an application where a malicious actor can send commands, queries, and other input that gets processed and executed as code. Injection attacks can trigger the application into performing an unauthorized action or exposing sensitive data.
Sobelow.CI
Sobelow.CI.OS
Sobelow.CI.System
Reference: https://docs.guardrails.io/docs/vulnerabilities/elixir/insecure_use_of_dangerous_function
Refer to Sobelow's README for the simplest instructions on how to use it.
Salus is a Static Application Security Testing (SAST) orchestration tool - developed by the Security team over at Coinbase. Under the hood it is a Ruby program that determines the language of what codebase it is attempting to run on and will selectively run other open source SAST tools for that language.
There is currently an PR in progress for integrating Sobelow into Salus.
Using a tool like Salus to deploy in your pipelines rather than just plain Sobelow is handy for those other lingering projects in your environment that have yet to migrate over fully to Elixir - as we should aim to support all projects equally from a security perspective.
Refer to Salus's README for the simplest instructions on how to use it.
Semgrep is an amazingly powerful semantic code analysis tool. It uses Abstract Syntax Trees to break down 20+ languages into common ground so that it may apply both language agnostic and language specific rulesets on your code.
Those rulesets can be rapidly spun up and shared with a community at large since they are simply YAML files.
It wasn't until very recently that Podium collaborated with r2c (the maintainers of Semgrep) to get experimental Elixir support into Semgrep. It is very much early days and there are no current publicly available rulesets available - but there is concerted effort to rapidly increase support and have it be another tool in the arsenal for CI/CD security for Elixir.
Semgrep is extra special in that it can be used in a plethora of different ways. Since we are in a module specifically about CI/CD tooling, it is obvious that it can be implemented in a way that it will rule high confident rules as blocking if failing, informational / low-confident rules as warning, and also run silently reporting to some external source.
What makes Semgrep's usage so powerful is that same set of rules can run passively in the background as part of your IDE - ensuring that if you have no errors in your IDE, you won't run into any errors when you go to merge your code and it hits the CI/CD checks.
<- Previous Module: Security Anti-Patterns || Next Module: The Secure Road ->