Episode

The State of Security in Elixir with Holden Oullette

Podcast: Elixir Wizards
Published: Apr 30, 2026
Duration seconds: 2514
Processing state: processed
Canonical source: https://smartlogic.fireside.fm/s15-e01-security-in-elixir-holden-oullette
Audio: https://aphid.fireside.fm/d/1437767933/03a50f66-dc5e-4da4-ab6e-31895b6d4c9e/e8e721ef-cf8f-43c9-8120-12b94ab2baab.mp3
JSON: /v1/public/podcasts/elixir-wizards/episodes/the-state-of-security-in-elixir-with-holden-oullette
Markdown: /podcast/elixir-wizards/the-state-of-security-in-elixir-with-holden-oullette.md

Actions

POST https://stenobird.com/v1/public/podcasts/elixir-wizards/episodes/the-state-of-security-in-elixir-with-holden-oullette/transcription-requests
Idempotently request low-priority transcript generation for this episode.
GET https://stenobird.com/podcast/elixir-wizards/the-state-of-security-in-elixir-with-holden-oullette.md
Read the agent-friendly Markdown representation of this episode resource.

Summary

Elixir's functional patterns and server-side rendering provide inherent immunity to many common web vulnerabilities. This discussion explores how the ecosystem is evolving to handle new threats like LLM-generated code and supply chain risks.

Topics

Elixir
Application Security
Static Analysis
Sobelow
LLMs
Supply Chain Security
Software Development Lifecycle
AST-based Analysis
Phoenix Framework

Highlights

Main idea: Elixir's design, specifically its functional nature and server-side rendering, creates a 'secure-by-default' environment
Practical takeaway: Use deterministic tools like Sobelow for AST-based pattern matching alongside non-deterministic LLMs to catch edge-case vulnerabilities
Failure mode: Relying solely on LLMs for security checks is dangerous because their non-deterministic nature can miss critical vulnerabilities like unauthorized root access
Main idea: The AEGIS initiative and ecosystem-wide efforts are essential for managing supply chain risks and dependency security
Practical takeaway: Leverage Elixir primitives and robust testing to build highly distributed, resilient systems that can withstand large-scale attacks

Chapters

1:00 Introduction to Holden Oullette: Holden shares his background in cybersecurity and his transition into application security within the Elixir ecosystem.
4:00 The Philosophy of Secure Development: A discussion on building security into the software development lifecycle by leveraging frameworks and tools by default.
7:05 Evolving Security Threats: An overview of how security concerns shift over time, referencing the OWASP Top Ten and the changing landscape of web vulnerabilities.
10:40 LLMs and New Attack Vectors: Exploring how Large Language Models introduce new classes of vulnerabilities and how they can be used to enhance security workflows.
13:50 Supply Chain and Dependency Security: The importance of secure, programmatic publishing and the challenges of maintaining trust across the entire dependency chain.
16:45 Verifiable Dependencies: The technical nuances of ensuring every step of the software supply chain is cryptographically verifiable.
20:00 Deterministic vs. Non-Deterministic Security: Comparing the reliability of AST-based static analysis tools like Sobelow against the creative but unpredictable nature of LLMs.
29:25 Balancing Speed and Security: How to implement frequent security checks and dependency updates without slowing down the development velocity.