April 25, 2023

148: Security Scanning our Apps with Sobelow

56 minutes

We go deeper on the Sobelow library, a security-focused static analysis tool for Elixir and Phoenix apps. We talk with Griffin Byatt, the creator, and Holden Oullette, the new maintainer. We learn how and why the project was created, how it works, what it can and can't do, and how to use it in CI pipelines for continuous scanning. Sobelow is a cornerstone project in the community that checks a critical box for certification requirements which means we get to use Elixir when it might otherwise be a hard sell. Join us as we learn more about the project and the people behind it!

Show Notes online - http://podcast.thinkingelixir.com/148

Elixir Community News

https://news.livebook.dev/hubs-and-secret-management---launch-week-1---day-3-3tMaJ2 – Livebook Launch Week - Day 3 - Hubs, secrets, teams, authentication

https://news.livebook.dev/build-and-deploy-a-whisper-chat-app-to-hugging-face-in-15-minutes---launch-week-1---day-4-wYM0w – Livebook Launch Week - Day 4 - What is deploying apps to HuggingFace?

https://news.livebook.dev/data-wrangling-in-elixir-with-explorer-the-power-of-rust-the-elegance-of-r---launch-week-1---day-5-1xqwCI – Livebook Launch Week - Day 5 - Data wrangling in Elixir with https://news.livebook.dev/data-wrangling-in-elixir-with-explorer-the-power-of-rust-the-elegance-of-r---launch-week-1---day-5-1xqwCI

https://github.com/elixir-nx – The Nx GitHub organization page was set up

https://twitter.com/sorentwo/status/1646493981591625732 – Oban update 2.15.0

https://github.com/sorentwo/oban/releases/tag/v2.15.0 – Oban release notes

https://twitter.com/osterbergmarcus/status/1646833341881016323 – Tweet asking about bulk steam inserts

https://twitter.com/elixirphoenix/status/1646913447030865921 – Phoenix response says the bulk insert is in main now.

https://hexdocs.pm/ecto/Ecto.Changeset.html#cast_assoc/3-sorting-and-deleting-from-many-collections – Ecto's Sorting and deleting from -many collections

https://twitter.com/iteamon/status/1648310734479130627 – Dry run implementation by Tymon Tobolski

https://twitter.com/theerlef/status/1646211583172034563 – ElixirConf EU keynote to look forward to

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at [email protected]

Discussion Resources

https://twitter.com/paraxialio/status/1641242283134660616

https://github.com/nccgroup/sobelow

https://github.com/nccgroup/sobelow/releases/tag/v0.12.2 – recent release

https://github.com/podium/elixir-secure-coding

https://www.podium.com/

https://podcast.thinkingelixir.com/122 – Securing Elixir and Teaching the Team interview with Holden

https://www.crowdstrike.com/cybersecurity-101/shift-left-security/ – Shift left

https://www.nccgroup.com/us/

https://github.com/podium/elixir-secure-coding

https://github.com/ExHammer/hammer

SAST - Static Application Security Testing

IAST - Interactive Application Security Testing

Guest Information

https://twitter.com/HoldenOullette – Holden on Twitter

https://github.com/houllette/ – Holden on Github

https://oullette.xyz/ – Holden's Blog

https://twitter.com/griffinbyatt – Griffin on Twitter

https://github.com/GriffinMB/ – Griffin on Github

https://griffinbyatt.com/ – Griffin's page

Find us online

Message the show - @ThinkingElixir

Message the show on Fediverse - @[email protected]

Email the show - [email protected]

Mark Ericksen - @brainlid

Mark Ericksen on Fediverse - @[email protected]

David Bernheisel - @bernheisel

David Bernheisel on Fediverse - @[email protected]

Cade Ward - @cadebward

Cade Ward on Fediverse - @[email protected]