Security Working Group Minutes

Erlang Ecosystem Foundation EEF Security

voltone April 4, 2024, 1:52pm 2

April 3, 2024

Participants: Holden Oullette, @maennchen, @max-au, Paul Swartz, @peerst, @voltone

Bandit

Ongoing (Holden)
Try to add to automated test suite for web servers
Code review of three handlers (HTTP 2.0, HTTP 1.1 and Websocket)

GitHub org 2FA

Needs some preparation, to avoid locking out users without 2FA
Send out email, and heads-up in Slack (@max-au)

OCSP stapling client

Several issues identified, reported: OCSP stapling interop issues · Issue #8242 · erlang/otp · GitHub

OIDC client

Erlang Solutions audit:
- Atom exhaustion vulnerability
- Further analysis ongoing
FAPI 2.0 Security Profile certification still pending

Positioning Erlang ecosystem as “secure”

See Whitehouse paper on memory safe languages
Counter FUD
Collaborate on a doc, targeting blog post or white paper
- To be shared with Marketing WG for distribution

Supply chain, SBoM of OTP

EU funded project (@peerst)
SBoM tooling upgrades

Meeting notes

Should be publish to Erlang Forums

Next meeting

2nd May 2024 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

5 Likes

Builtin support for node auto connection, reconnection and maybe DNS discovery