The State of Security in Elixir with Holden Oullette
About this Episode
Published April 30, 2026 |
Duration: 41:23 |
RSS Feed |
Direct download
Transcript:
English
In the Elixir Wizards season 15 premiere, host Charles Suggs is joined by Holden Oullette, Senior Security Software Engineer at Netflix and maintainer of Sobelow, to talk about how security is evolving in the Elixir ecosystem.
We discuss how certain features of the Elixir programming language (like functional patterns and server-side rendering) provide natural immunity against some common vulnerabilities, and what that means as the language continues to grow. Holden shares how tools like Sobelow are adapting and how new technologies like LLMs and Elixir's type system may help to strengthen security practices.
We cover supply chain risks, ecosystem-level responsibility and reputation management, and how initiatives like AEGIS are prepping the community for more widespread adoption. We wrap with practical tips for teams to be more security-minded throughout the software development lifecycle without slowing everything down.
Key topics discussed in this episode:
- How Elixir’s design influences secure-by-default development
- Security tradeoffs between server-side and client-heavy architecture
- Supply chain risks and what the ecosystem is doing to prepare
- Static analysis with tools like Sobelow and AST-based pattern matching
- Where LLMs fit into modern security workflows
- The role of Elixir’s upcoming type system in improving tooling
- Securing CI/CD pipelines and production environments
- Balancing development speed with security requirements
- Dependency management and vulnerability monitoring
- The AEGIS Initiative and ecosystem-wide security efforts
Links mentioned:
Holden’s GitHub https://github.com/houllette
Elixir Programming Language https://elixir-lang.org/
Security-focused static analysis for the Phoenix Framework https://github.com/nccgroup/sobelow
Code Security for Builders https://semgrep.dev/
Erlang Ecosystems Foundation https://erlef.org/
Phoenix Framework https://www.phoenixframework.org/
WebSockets https://hexdocs.pm/phoenix_live_view/Phoenix.LiveView.Socket.html
https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API
Open Worldwide Application Security Project https://owasp.org/
https://github.com/elixir-ecto/ecto
Log4j Vulnerability https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know
React2Shell Vulnerability https://www.finra.org/guidance/guidance/cybersecurity-advisory-react2shell
The Heartbleed Bug https://www.heartbleed.com/
Elixir Type System https://hexdocs.pm/elixir/main/gradual-set-theoretic-types.html
Holden Oullette “Securing the Future: A Roadmap to Making Elixir the Safest Language” ElixirConf 2024 https://youtu.be/gpvKxS6sY8Y
Aegis Initiative: Supply Chain Security & Compliance Initiative https://security.erlef.org/aegis/
OIDC Tokens https://openid.net/
Anthropic’s Claude Mythos & Cybersecurity https://red.anthropic.com/2026/mythos-preview/
Igniter Code Generation Framework https://github.com/ash-project/igniter
https://smartlogic.io/podcast/elixir-wizards/s13-e01-igniter-code-generation-zach-daniel/
Secure-by-default open source software https://www.chainguard.dev/
https://www.docker.com/
https://github.com/dependabot
https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/apis-apiid-models.html
https://nixos.org/
https://smartlogic.io/podcast/elixir-wizards/s14-e08-nix-for-elixir-apps/
https://fedoraproject.org/
https://kubernetes.io/
https://netflix.github.io/chaosmonkey/
https://netflixtechblog.com/all?topic=chaos-monkey
Special Guest: Holden Oullette.