148: Security Scanning our Apps with Sobelow

Spela upp

We go deeper on the Sobelow library, a security-focused static analysis tool for Elixir and Phoenix apps. We talk with Griffin Byatt, the creator, and Holden Oullette, the new maintainer. We learn how and why the project was created, how it works, what it can and can't do, and how to use it in CI pipelines for continuous scanning. Sobelow is a cornerstone project in the community that checks a critical box for certification requirements which means we get to use Elixir when it might otherwise be a hard sell. Join us as we learn more about the project and the people behind it! Show Notes online - http://podcast.thinkingelixir.com/148 Elixir Community News https://news.livebook.dev/hubs-and-secret-management---launch-week-1---day-3-3tMaJ2 – Livebook Launch Week - Day 3 - Hubs, secrets, teams, authentication https://news.livebook.dev/build-and-deploy-a-whisper-chat-app-to-hugging-face-in-15-minutes---launch-week-1---day-4-wYM0w – Livebook Launch Week - Day 4 - What is deploying apps to HuggingFace? https://news.livebook.dev/data-wrangling-in-elixir-with-explorer-the-power-of-rust-the-elegance-of-r---launch-week-1---day-5-1xqwCI – Livebook Launch Week - Day 5 - Data wrangling in Elixir with https://news.livebook.dev/data-wrangling-in-elixir-with-explorer-the-power-of-rust-the-elegance-of-r---launch-week-1---day-5-1xqwCI https://github.com/elixir-nx – The Nx GitHub organization page was set up https://twitter.com/sorentwo/status/1646493981591625732 – Oban update 2.15.0 https://github.com/sorentwo/oban/releases/tag/v2.15.0 – Oban release notes https://twitter.com/osterbergmarcus/status/1646833341881016323 – Tweet asking about bulk steam inserts https://twitter.com/elixirphoenix/status/1646913447030865921 – Phoenix response says the bulk insert is in main now. https://hexdocs.pm/ecto/Ecto.Changeset.html#cast_assoc/3-sorting-and-deleting-from-many-collections – Ecto's Sorting and deleting from -many collections https://twitter.com/iteamon/status/1648310734479130627 – Dry run implementation by Tymon Tobolski https://twitter.com/theerlef/status/1646211583172034563 – ElixirConf EU keynote to look forward to Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com Discussion Resources https://twitter.com/paraxialio/status/1641242283134660616 https://github.com/nccgroup/sobelow https://github.com/nccgroup/sobelow/releases/tag/v0.12.2 – recent release https://github.com/podium/elixir-secure-coding https://www.podium.com/ https://podcast.thinkingelixir.com/122 – Securing Elixir and Teaching the Team interview with Holden https://www.crowdstrike.com/cybersecurity-101/shift-left-security/ – Shift left https://www.nccgroup.com/us/ https://github.com/podium/elixir-secure-coding https://github.com/ExHammer/hammer SAST - Static Application Security Testing IAST - Interactive Application Security Testing Guest Information https://twitter.com/HoldenOullette – Holden on Twitter https://github.com/houllette/ – Holden on Github https://oullette.xyz/ – Holden's Blog https://twitter.com/griffinbyatt – Griffin on Twitter https://github.com/GriffinMB/ – Griffin on Github https://griffinbyatt.com/ – Griffin's page Find us online Message the show - @ThinkingElixir Message the show on Fediverse - @ThinkingElixir@genserver.social Email the show - show@thinkingelixir.com Mark Ericksen - @brainlid Mark Ericksen on Fediverse - @brainlid@genserver.social David Bernheisel - @bernheisel David Bernheisel on Fediverse - @dbern@genserver.social Cade Ward - @cadebward Cade Ward on Fediverse - @cadebward@genserver.social Sponsored By:Fly.io: Fly.io is a great place to deploy your next Phoenix application! Check them out!