Interactive web-based curriculum teaching developers how to write secure Erlang/OTP applications. Covers BEAM VM-specific attack vectors that exist despite Erlang's built-in safety properties.
The curriculum covers 12 modules, each with lessons, code examples, and quizzes:
- Introduction to Erlang Security — BEAM VM security model
- Atom Exhaustion — Creating atoms from untrusted input
- Serialisation/Deserialization — Unsafe
binary_to_term/1 - Command Injection —
os:cmd/1with untrusted input - Sensitive Data — Process state visibility and crash dumps
- Memory Exhaustion — Resource starvation attacks
- Distribution — Erlang distribution protocol risks
- NIF & Port Safety — Native interface and external port security
- Code Loading — Runtime code loading without verification
- Scheduling & Types — Scheduler starvation, type safety
- Introspection — Observer and reflection-based disclosure
- Web Security — Web vulnerabilities in Nova applications
Each module includes:
- Side-by-side vulnerable vs. safe code examples
- Shell output demonstrations
- Multiple choice quizzes with immediate grading
rebar3 nova serveThe app runs at http://localhost:8080.
Deployed on Fly.io:
fly deployCurriculum content is fully declarative. To add a new module:
- Create a module function in
src/curriculum/esc_curriculum.erl - Register it in the
modules()list
No changes to controllers, views, or routing needed.
Apache 2.0