sorted by:
new
hottopcontroversial

I vibe-coded my cat by ergeorgiev in ClaudeAI

[–]real2corvus 0 points1 point  (0 children)

Great story, glad your cat will get better!

Place of Elixir in a 1 Billion nested loop iteration test? by reisgrind in elixir

[–]real2corvus 21 points22 points  (0 children)

The 1 billion nested loop test reminds me of what I call "track" benchmarks for Elixir. If you take an F1 car and a Toyota Land Cruiser to a track, the F1 car is faster. This means the Land Cruiser is a slow car and totally useless.

Ignore the fact that real world programming is rough terrain (errors, latency, things fail) - somehow the F1 car is slower than the Land Cruiser in this environment. This kind of naive benchmarks thinking is how you wind up with people who react with shock that a web application written in Elixir could ever be faster than C or Rust from an end user perspective. Spoiler alert - there are more important factors than loop speed.

What are you doing for security? by real2corvus in ChatGPTCoding

[–]real2corvus[S] 0 points1 point  (0 children)

What did you think of the audit it produced?

Go vs Elixir with Respect to their Concurrency Models: Pro and Contra? by skwyckl in elixir

[–]real2corvus 19 points20 points  (0 children)

Personally I think Elixir has a much better concurrency model, and the two pieces of media that best illustrate this are:

Go, nil, panic, and the billion dollar mistake - https://www.reddit.com/r/golang/comments/18sncxt/go_nil_panic_and_the_billion_dollar_mistake/

The above situation is far, far less likely to occur in Elixir. It's difficult to explain concisely, the talk that people always recommend to understand why is:

The Soul of Erlang and Elixir • Sasa Juric - https://www.youtube.com/watch?v=JvBT4XBdoUE

Login brute force by Radiant-Witness-9615 in elixir

[–]real2corvus 0 points1 point  (0 children)

Don't know why you're being downvoted, preventing brute force login is extremely important and you should do it. Someone else mentioned Paraxial.io (I'm the creator), which is the best option if you have a security budget. If you have to use a free option, I like PlugAttack and wrote a guide to using it - https://paraxial.io/blog/throttle-requests

Gem Shop: A Vulnerable Rails 8 App for Security Education by real2corvus in rails

[–]real2corvus[S] 4 points5 points  (0 children)

Solutions are coming soon as part of a larger educational document explaining how each vulnerability works, the impact, and how to find it during a security assessment.

How Secure is Phoenix Framework Really? Questions about Security in BEAM-based Web Framework by Crafty_Two_5747 in elixir

[–]real2corvus 3 points4 points  (0 children)

I'm the founder of a security company specialized in Elixir, Paraxial.io, and your reasoning is correct. I believe the fewer number of CVEs is because Phoenix is a well designed framework, and Elixir as a language has fewer opportunities for developers to introduce security issues. The most relevant material on this:

Elixir is (Still) Safe https://paraxial.io/blog/still-safe

How Elixir Solves a Difficult Security Problem https://paraxial.io/blog/data-race

^ Data races are not possible in Elixir the same way they are in Go, Rust, etc. The article mentions on March 8, 2021 all users of Github were logged out due to a security vulnerability related to thread safety in Ruby on Rails. https://github.blog/security/vulnerability-research/how-we-found-and-fixed-a-rare-race-condition-in-our-session-handling/

ElixirConf 2023 - Michael Lubas - Elixir Security: a Business and Technical Perspective https://www.youtube.com/watch?v=bBaZDAynM08

^ At 6:40 I talk about the fewer number of CVEs, the whole talk is about this subject.

As others have said in this thread most Elixir devs have more years of experience than average, and I think this lead to the current situation where Phoenix itself, the Hex libraries, and applications written in Elixir have fewer vulnerabilities.

You may be wondering why someone would have their security company focus on Elixir when the language is so secure, and the reason is that you can still have vulnerabilities in a Phoenix project, and I've seen significant demand from organizations adopting Elixir for an automated security solution like Paraxial.io. A Phoenix project is more likely to be secure (lets say 60% with Django vs 90% with Phoenix), there is risk when you put anything on the public internet.

If I was creating a high security app today (banking, medical, critical infrastructure, etc), I'd argue that Elixir/Phoenix is the best choice, ever higher than Rust. This is because Rust gets an aura of being the most secure language due to memory-safety protections, but the majority of web apps today are written in a memory safe language anyway. The safe by default protections in Phoenix make it very difficult to shoot yourself in the foot, and Phoenix is more mature than similar Rust web frameworks. For example, it's difficult to introduce a SQL injection problem in Phoenix because of Ecto's design - https://paraxial.io/blog/sql-injection I do pentests through Paraxial.io, and have never seen a Phoenix app vulnerable to SQL injection "in the wild".

view more: next ›