Security Improvements for BEAM Using Static Analysis

Melinda Tóth and Dániel Horpácsi present a detailed discussion about leveraging static analysis for enhancing security in Erlang and Elixir projects. They emphasize the principle of 'let it crash' but point out that not all input validation can be ignored. Drawing on the 2020 Erlang Ecosystem Foundation's secure coding principles, the speakers demonstrate how static analysis can detect and mitigate critical security vulnerabilities in both new and legacy Erlang codebases. Specific vulnerabilities like atom creation issues and injection attacks are highlighted, along with real-world examples from widely used open-source projects. They also discuss the intricacies of data-flow analysis and how it can be used to improve code security by identifying unsafe practices. Additionally, the talk outlines the ongoing work to extend these tools for Elixir.