# The State of Security in Elixir with Holden Oullette Page: https://stenobird.com/podcast/elixir-wizards/the-state-of-security-in-elixir-with-holden-oullette Text version: https://stenobird.com/podcast/elixir-wizards/the-state-of-security-in-elixir-with-holden-oullette.md Podcast: [Elixir Wizards](https://stenobird.com/podcast/elixir-wizards) Published: 2026-04-30T10:00:00+00:00 Episode link: https://smartlogic.fireside.fm/s15-e01-security-in-elixir-holden-oullette Audio file: https://aphid.fireside.fm/d/1437767933/03a50f66-dc5e-4da4-ab6e-31895b6d4c9e/e8e721ef-cf8f-43c9-8120-12b94ab2baab.mp3 Processing state: processed JSON: https://stenobird.com/v1/public/podcasts/elixir-wizards/episodes/the-state-of-security-in-elixir-with-holden-oullette Duration seconds: 2514 ## Resource Elixir's functional patterns and server-side rendering provide inherent immunity to many common web vulnerabilities. This discussion explores how the ecosystem is evolving to handle new threats like LLM-generated code and supply chain risks. ## Highlights - Main idea: Elixir's design, specifically its functional nature and server-side rendering, creates a 'secure-by-default' environment - Practical takeaway: Use deterministic tools like Sobelow for AST-based pattern matching alongside non-deterministic LLMs to catch edge-case vulnerabilities - Failure mode: Relying solely on LLMs for security checks is dangerous because their non-deterministic nature can miss critical vulnerabilities like unauthorized root access - Main idea: The AEGIS initiative and ecosystem-wide efforts are essential for managing supply chain risks and dependency security - Practical takeaway: Leverage Elixir primitives and robust testing to build highly distributed, resilient systems that can withstand large-scale attacks ## Topics Elixir, Application Security, Static Analysis, Sobelow, LLMs, Supply Chain Security, Software Development Lifecycle, AST-based Analysis, Phoenix Framework ## Chapters - 1:00 — Introduction to Holden Oullette: Holden shares his background in cybersecurity and his transition into application security within the Elixir ecosystem. - 4:00 — The Philosophy of Secure Development: A discussion on building security into the software development lifecycle by leveraging frameworks and tools by default. - 7:05 — Evolving Security Threats: An overview of how security concerns shift over time, referencing the OWASP Top Ten and the changing landscape of web vulnerabilities. - 10:40 — LLMs and New Attack Vectors: Exploring how Large Language Models introduce new classes of vulnerabilities and how they can be used to enhance security workflows. - 13:50 — Supply Chain and Dependency Security: The importance of secure, programmatic publishing and the challenges of maintaining trust across the entire dependency chain. - 16:45 — Verifiable Dependencies: The technical nuances of ensuring every step of the software supply chain is cryptographically verifiable. - 20:00 — Deterministic vs. Non-Deterministic Security: Comparing the reliability of AST-based static analysis tools like Sobelow against the creative but unpredictable nature of LLMs. - 29:25 — Balancing Speed and Security: How to implement frequent security checks and dependency updates without slowing down the development velocity. ## Actions - request_transcript: `POST https://stenobird.com/v1/public/podcasts/elixir-wizards/episodes/the-state-of-security-in-elixir-with-holden-oullette/transcription-requests` — Idempotently request low-priority transcript generation for this episode. - read_markdown: `GET https://stenobird.com/podcast/elixir-wizards/the-state-of-security-in-elixir-with-holden-oullette.md` — Read the agent-friendly Markdown representation of this episode resource. A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed. ## Transcript Full transcripts are not published on public pages unless there is a clear rights basis.