Kiko Fernandez-Reyes, Ericsson
Alistair Woodman, Erlang Ecosystem Foundation
Software technology that Ericsson started back in the 1980s, today plays a crucial role in keeping many internet systems and applications running at large scale and high uptimes. Erlang is an open source programming language and the BEAM is the underlying virtual machine technology, developed and primarily maintained by Ericsson under an Apache license that is used by a growing developer community.
The EU Cyber Resilience Act (CRA) and US Cybersecurity and Infrastructure Security Agency (CISA) will place new quality requirements on final manufacturers of software. These end-product regulations will also have knock-on effects on open source projects, and Ericsson, as maintainer of the Erlang programming language wants to prepare for them.
Several years ago major users of the software, including Ericsson, set up the Erlang Ecosystem Foundation (EEF) as a 501(c)3 not-for-profit organisation. Today the EEF is supported by thousands of members and commercial software sponsors. The intent of the EEF is to grow and support the community that looks after and enhances both Erlang the language as well as the BEAM VM ecosystem.
The BEAM VM ecosystem now supports several new programming language running on the BEAM, like Elixir, Gleam and Lua as well as industry leading frameworks like Phoenix, LiveView, Nx, Nerves and GRiSP. Ericsson has given life to a technology ecosystem that is now an order of magnitude larger that the core Erlang system, where the same new requirements for cybersecurity will apply.
The EEF and Ericsson want to step up early to the new policy requirements to ensure that all our members can leverage common compliance features and tooling thus allowing them to avoid individual effort and inconsistent processes.
In this talk, we will cover some of the requirements placed on open source projects and how the BEAM community and the Erlang Ecosystem Foundation plans to address these requirements. This presentation will discuss the following topics:
- The role of the EEF w.r.t. Cyber Resilience Act and CISA policies
- Tooling plans from the EEF to make Erlang and other BEAM languages safer.
- Existing Erlang and BEAM static analysis tooling, test coverage, and acive testing strategies
- Supply Chain management: SPDX, CycloneDX, ProtoBOM and other technologies.
- Improving the security of library dependencies (Hex packages)
- Importance of secure defaults
- Community CI/CD
- Documentation