Paraxial Case Study - Building a Robust Security Platform with Elixir and Phoenix
5 min read
13 Mar 2024 (created at 19 Jul 2023)
In this series, we're going to explore real-world usage of the Elixir. We'll be speaking to different companies that are currently using Elixir to understand the challenges they faced, the benefits and, whether they would recommend it.
Welcome to the Elixir Case Study Series!
For our inaugural case study, we talked with the team behind Paraxial.io, a security platform for Elixir developers. This comprehensive interview delves into how Paraxial was built with Elixir from the ground up and how they utilize the Elixir ecosystem, including the Phoenix and Ecto libraries, to provide state-of-the-art security services.
We discussed the choice of architecture, with Paraxial leaning towards a monolithic design, and how Elixir supports this decision with tools like ETS and more. Focus on security, we explored whether Elixir and its libraries like Phoenix or Ecto are well-suited for creating secure applications and if there are any areas of potential improvement.
This series is a treasure trove of information for anyone interested in learning from practical, real-world experiences of using Elixir in production. Whether you're an Elixir veteran or someone considering adopting it, these case studies will offer valuable insights and tips. So, stay tuned as we dive deeper into the world of Elixir with each installment in the series.
Michael Lubas is the founder of ▶ https://paraxial.io. Michael has worked with Elixir for several years, and his professional background is in software security. He took part in our monthly Elixir Meetups. Here you can listen to more about Throttling & Blocking Bad Requests in Phoenix with PlugAttack and Elixir Security.
1. Could you introduce the product to us?
Paraxial.io is an application security platform designed for Elixir and Phoenix. The product is an alternative to tools such as Snyk, reCaptcha, and Cloudflare bot defense. All our customers use Elixir, and our backend is written in Elixir.
The reason a company uses Paraxial.io is they have a Phoenix application on the public internet, which exposes them to hacking attempts, automated bot attacks, etc. With Paraxial.io, developers are able to quickly protect their applications in a fraction of the time it takes with bulky enterprise solutions that do not have native support for Elixir.
2. How did the Paraxial start with Elixir in the first place?
Paraxial.io was built with Elixir from the beginning, as a company that makes a security platform for other Elixir developers, it was only natural to build on Elixir and Phoenix.
Paraxial.io is composed of two main parts: the backend https://app.paraxial.io/, and the Paraxial.io agent - https://hex.pm/packages/paraxial Customers install the agent as a normal dependency in their project, which does bot defense, scanning for OWASP Top 10 style vulnerabilities, and detection of vulnerable dependencies.
An interesting fact, the Paraxial.io website and blog are a Phoenix application. We use DashBit’s Nimble Publisher, and all our blog posts are written in Markdown.
3. What does the architecture look like? Did you go with Umbrella, monolith, or microservices?
The architecture is a monolith, and we’re very happy with it. A major benefit of Elixir is that you don’t need to bring in tools like Redis for managing the global state, you can use ETS and the primitives Elixir/Erlang give you.
Simplicity and being able to debug issues are huge benefits of a monolith. I’ve worked on systems where you could not run the thing locally, or you had to run three different applications and get them all talking to each other, and it’s a mess. The Elixir and Phoenix teams put so much effort into shortening the debug loop with features like live code reloading, and having a monolith lets you take advantage of that.
4. What type of Frameworks are used in Paraxial?
Currently, we use Phoenix, and all of our customers are using Phoenix as well. It’s a much better customer experience, working with a security vendor that understands your tech stack and can quickly understand and resolves issues as they come up.
When a security vendor tells you they have a “universal platform” that “supports everything”, what that means is you will be writing the integration code yourself. The install is going to take months, and nobody at that company will talk to you about how to properly write secure Elixir code. Having first class support for Phoenix is a huge advantage for Paraxial.io, and I’m grateful to be participating in the ecosystem.
5. Can you name a couple of libraries you use and consider as really great open-source projects?
Phoenix, Ecto, Mix, Hex, all the standard Elixir libraries most people reading this know about. I do want to mention remote_ip because it does a very important job, ensuring the value of conn.remote_ip is correct when your Phoenix application is behind a proxy. Most people deploy their application in an environment where conn.remote_ip is not set to the client’s IP, but rather an intermediate proxy server. It seems like a simple thing, but it’s very hard to do it correctly, and remote_ip absolutely nailed the correct implementation.
6. Giving the fact that Paraxial focuses on security, do you think Elixir and its libraries like Phoenix or Ecto are well-suited for this topic or is there still a lot to be done?
A common issue people claim to have with Elixir is, “there are not enough open source libraries”. This does not match my experience, and I’ll give an example. When implementing a feature in Paraxial.io, I needed a radix trie for storing IP addresses. The iptrie library is exactly what I needed, and it’s an excellent library.
Many cyber security projects that have requirements like high uptime, high availability, support for concurrency, are written in a language that is not suited for the problem at all, like Python or JavaScript. The reason is most security developers are not familiar with Elixir. Elixir, Phoenix, and Ecto and extremely well-suited for security, and I hope to see more adoption in those circles.
FAQ
What is Paraxial.io and how does it enhance Elixir-based application security?
Paraxial.io is a security platform tailored for Elixir and Phoenix applications, offering an alternative to conventional security tools. It enables developers to defend against hacking and bot attacks effectively, streamlining application protection.
How did Paraxial.io start using Elixir for its development?
Paraxial.io was inherently built with Elixir, aiming to serve the security needs of other Elixir developers, thus ensuring coherence and effectiveness in its security solutions.
What architectural approach does Paraxial.io follow, and why?
Paraxial.io employs a monolithic architecture, which aligns with the Elixir ecosystem's capabilities, offering simplicity, ease of debugging, and efficient global state management without external tools like Redis.
Which frameworks and libraries does Paraxial.io utilize, and why?
Paraxial.io primarily uses Phoenix, alongside standard Elixir libraries like Ecto and Mix, to ensure compatibility and effective security measures within the Elixir ecosystem.
Can you name some open-source projects used by Paraxial.io?
Besides Elixir's standard libraries, Paraxial.io utilizes projects like remote_ip, which correctly handles client IP addresses in Phoenix applications behind proxies.
Does Paraxial.io consider Elixir and its ecosystem suitable for security-focused applications?
Paraxial.io supports the notion that Elixir, along with Phoenix and Ecto, is highly suitable for security applications, contradicting common misconceptions about the availability of Elixir libraries for security.
How does Paraxial.io contribute to the Elixir community and security awareness?
Through its specialized focus and contributions, Paraxial.io aims to encourage more widespread adoption of Elixir in cybersecurity projects and improve security standards within the Elixir community.
