The State of Security in Elixir with Holden Oullette

In the Elixir Wizards season 15 premiere, host Charles Suggs is joined by Holden Oullette, Senior Security Software Engineer at Netflix and maintainer of Sobelow, to talk about how security is evolving in the Elixir ecosystem. We discuss how certain features of the Elixir programming language (like functional patterns and server-side rendering) provide natural immunity against some common vulnerabilities, and what that means as the language continues to grow. Holden shares how tools like Sobelow are adapting and how new technologies like LLMs and Elixir's type system may help to strengthen security practices. We cover supply chain risks, ecosystem-level responsibility and reputation management, and how initiatives like AEGIS are prepping the community for more widespread adoption. We wrap with practical tips for teams to be more security-minded throughout the software development lifecycle without slowing everything down. Key topics discussed in this episode: How Elixir’s design influences secure-by-default development Security tradeoffs between server-side and client-heavy architecture Supply chain risks and what the ecosystem is doing to prepare Static analysis with tools like Sobelow and AST-based pattern matching Where LLMs fit into modern security workflows The role of Elixir’s upcoming type system in improving tooling Securing CI/CD pipelines and production environments Balancing development speed with security requirements Dependency management and vulnerability monitoring The AEGIS Initiative and ecosystem-wide security efforts Links mentioned: Holden’s GitHub https://github.com/houllette Elixir Programming Language https://elixir-lang.org/ Security-focused static analysis for the Phoenix Framework https://github.com/nccgroup/sobelow Code Security for Builders https://semgrep.dev/ Erlang Ecosystems Foundation https://erlef.org/ Phoenix Framework https://www.phoenixframework.org/ WebSockets https://hexdocs.pm/phoenix_live_view/Phoenix.LiveView.Socket.html https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API Open Worldwide Application Security Project https://owasp.org/ https://github.com/elixir-ecto/ecto Log4j Vulnerability https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know React2Shell Vulnerability https://www.finra.org/guidance/guidance/cybersecurity-advisory-react2shell The Heartbleed Bug https://www.heartbleed.com/ Elixir Type System https://hexdocs.pm/elixir/main/gradual-set-theoretic-types.html Holden Oullette “Securing the Future: A Roadmap to Making Elixir the Safest Language” ElixirConf 2024 https://youtu.be/gpvKxS6sY8Y Aegis Initiative: Supply Chain Security & Compliance Initiative https://security.erlef.org/aegis/ OIDC Tokens https://openid.net/ Anthropic’s Claude Mythos & Cybersecurity https://red.anthropic.com/2026/mythos-preview/ Igniter Code Generation Framework https://github.com/ash-project/igniter https://smartlogic.io/podcast/elixir-wizards/s13-e01-igniter-code-generation-zach-daniel/ Secure-by-default open source software https://www.chainguard.dev/ https://www.docker.com/ https://github.com/dependabot https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/apis-apiid-models.html https://nixos.org/ https://smartlogic.io/podcast/elixir-wizards/s14-e08-nix-for-elixir-apps/ https://fedoraproject.org/ https://kubernetes.io/ https://netflix.github.io/chaosmonkey/ https://netflixtechblog.com/all?topic=chaos-monkeySpecial Guest: Holden Oullette.