Web3 security risks daunting? How should we respond?

Is the world of Web3 and blockchain as daunting as it sounds? The Biden campaign’s Chief Incident Response Officer and former Intel Incident Response Director, Jackie Singh, interviewed Web3 security practitioners for their perspectives on the challenges and opportunities of securing Web3 technologies.

I was nervous at first last December when my partner at STOP, Jason, unexpectedly received an offer to join an NFT marketplace startup as a senior software engineer.

Deciding to take a potentially precarious job in a new industry can seem daunting, especially as a family with young children.

Despite the recent volatility in the cryptocurrency market, my concerns have faded over time. Jason’s career shift to Web3 has also taught me more about his work, including permissionless use for all users, designing open source code through Github, working openly with third-party developers, and building partnerships with NFT artists. This is a refreshing change from his previous work in traditional finance!

To be honest, I know the Web3 community is very cohesive, but as an information security professional, I also have questions about widespread scams, the risks of “technical solutionism,” and the large-scale violations that hinder the rise of Web3.

“It’s great that many Web3 developers prioritize security in their development process to prevent vulnerabilities, but there’s more work to be done,” Robert Wallace, senior director at cybersecurity firm Mandiant, wrote in a readme “Prevention is a prerequisite, but detection and auditing are also necessary. It would be great to see more research on threat detection and response in Web3.”

Over the years, Wallace has worked with his team of consultants on security incidents at several Web3 companies. He noted that hackers utilizing smart contracts have led to some of the biggest “DeFi” hacks to date.

“Another challenge is attacks on Web3 developers who may not have a security team monitoring the system at all times,” Wallace said, “which could lead to key theft, leading to huge thefts from Web3 companies and even centralized exchanges. “

I asked three experts with experience in Web3 security to share some of their insights and explain their day-to-day work.

Miles Nolan is a senior blockchain security analyst at cybersecurity firm Kudelski Security, which also currently includes blockchain in its business.


What do you and your team do at Kudelski Security?


I work as a blockchain security analyst on Kudelski’s application security team. We primarily audit Web3 applications and smart contract code for vulnerabilities. I personally work on smart contract audits/reviews.

How did you get started with Web3?


I became interested in my junior year of college. I have a degree in Management Information Systems. It was in 2017, Bitcoin had a crazy “bull market”, and DeFi began to appear on a small scale. My passion for technology and finance combined with the crazy hype made me jump into the field and absorb whatever I could learn.

What is your daily work like for you?


I’m what most people in the field call a “smart contract auditor”. I spend most of my time reviewing vulnerabilities in smart contract code. On a typical work day, I spend the first hour of the day reviewing/writing code unrelated to the project I’m auditing, which helps me warm up. I’ll be looking at the documentation related to the blockchain I’m using in the next hour. Things change every day in Web3, so I have to stay informed. For the rest of the day, I’ll be reviewing the smart contract code for various bugs.

What challenges do you face in this field?


Web3 is moving so fast that when I first joined it felt like I was catching up all the time.

Does blockchain or other Web3 technologies provide any specific technical capabilities that make information security tasks easier or more difficult?


While there are many advantages to highlight, I must point out one pain point. Blockchains have introduced a playing field where attackers can actually profit by executing exploits. In a Web2 world, attackers can shut down a major service, steal some data, sell malware/0-days, etc. While this may be profitable and cost other parties money, it’s not worth the time and cost Take the risk of committing these types of malicious acts. But in the Web3 world, attackers can steal upwards of $300 million from a single vulnerability. So distributed ledger technology inherently presents these new risks for security professionals to deal with.

Katelyn Perna is Vice President of Security Strategy and Digital Asset Custody at BlockFi, a US-based cryptocurrency exchange offering a variety of financial products including loans and crypto credit cards.


Can you tell us about your current role?


As BlockFi’s VP of Security Strategy and Digital Asset Custody, I am responsible for building our security program.

The security strategy and digital asset custody team are primarily responsible for ensuring the security of BlockFi’s native encryption technology. The team has a very unique and specialized mix of skills, covering cyber security, blockchain technology, cryptocurrency security and custody, covering almost all digital assets. We specialize in cryptocurrency security, cryptography, key management, on-chain protocols and Web3 security.

What is your team focused on?


All along, my day-to-day work has mainly focused on cryptocurrency, which can be analyzing assets and various on-chain protocols, building technologies and solutions for asset storage, custody and key management, and analyzing smart contract vulnerabilities.

How did you get started with Web3? What piqued your interest?


Before Web3/Blockchain, my background was in traditional cybersecurity. I first learned about cryptocurrencies in 2016 and was hooked right away. I was working on networking for a large tech and banking company at the time, and I quickly realized that there was a need for improvement in traditional financial services.

I see the huge potential of blockchain technology and cryptocurrencies in tech and banking to allow societies to manage their own data and money with fewer third-party intermediaries, and I want to be a part of that. However, building new funding, platforms and cultures is not easy, not to mention difficult to do so safely and reliably. As we focus on putting power and control in the hands of the user, I am most interested in the possibilities and the different “facets of society”. I told myself that I would be working in the blockchain/crypto space for the next 5 years and see how it goes.

What challenges do you face in this field?


One of the challenges is that this is a completely emerging technology. Blockchain and cryptocurrencies have not been around for long, and thinking that managing billions of dollars in funds can bring enormous responsibility for the security of these companies.

In general, I think technical talent, especially in security, is currently scarce in the Web3 space.

Further challenges include:

  • There is a general lack of education and awareness in the Web3 space among users and institutions, creating a huge knowledge gap in technology and security.
  • Ensure the real security you need to manage billions of dollars. There are no shortcuts. Security may vary by asset and underlying protocol. This requires rigorous investigation and due diligence.
  • Blockchain interoperability and security are challenging, especially when it comes to smart contract logic and key management. Managing and securing nodes in a scalable manner is also a major challenge.

Does blockchain or other Web3 technologies provide any specific technical capabilities that make information security easier or more difficult?


The transition from Web2 to Web3 has brought about a huge shift in thinking around security and privacy.

At Web2, we’re going to have someone (banking, tech, etc.) do everything for us – all we need to manage is a password, and maybe 2FA.

Not so with Web3. Web3 is worse if you don’t know what you’re doing in Web2. Managing your own assets and data yourself, i.e. being your own “bank” sounds good (and it is), but you have to learn how to work: you have to understand how to manage wallets, private keys, and you have to think about security.

For CeFi or institutions, this job needs to be 10x faster! (CeFi, or Centralized Finance, aims to provide DeFi-like benefits with the ease of use and security of traditional finance.)

Additionally, airdrop scams and targeted phishing in the Web3 ecosystem will continue to develop.

What would you say to an information security professional who doesn’t like blockchain technology?


Blockchain technology isn’t really new, it’s just a mix of different technologies that have been around for decades.

Web3 supports more autonomous and decentralized applications. This is a good thing. Because no one company should own all the data or money or anything of the users.

Safety is always the driving factor.

Technology can do many things, and as information security people, we should do our best to ensure that it can be used as safely as possible.

What’s the single most important piece of advice you would give information security professionals interested in Web3?


Never judge anything only on the surface. Just because someone says it’s true, doesn’t make it true. No one knows all the answers, and no one knows everything. Challenge yourself and everyone you meet. The Web3 industry requires information security.

Bobby Tonic is a security engineer at a digital payments company. In the past, he was a consultant to security firm Trail of Bits, where he led teams that performed complex security audits.


What are the biggest challenges facing Web3 organizations?


Prior to my current role, I had contact with various Web3 organizations. I find that they often face similar challenges as traditional organizations. Of these challenges, understanding the complexity of the technologies used in the system and being able to ensure the correctness two of the most notable.

Failure to successfully address these challenges can be disastrous for Web3 organizations, as attackers often have access to the source code of their systems and applications at any time.

Therefore, it has become a consensus that Web3 organizations develop their applications and their infrastructure and submit them to third-party security research firms for review. Doing so promises customers that the design and implementation of the application has been adversarially tested and demonstrates the organization’s due diligence and accountability to its future customers.

What information security research is most in need of Web3 today?


In my opinion, for mature Web3, the most impactful research in information security is testing Web3 systems and applications. As a third-party security personnel, instead of developers, we pay attention to the security aspects of the design, which will save time and speed up subsequent development work.

Additionally, Web3 often requires developers to implement boilerplates for the system under test, causing them to spend time setting up the test system rather than actually developing the tests with the tools. We see this in various testing techniques like fuzzing, property testing. These issues greatly discourage most developers who wish to use these testing techniques in their day-to-day development work.

It’s not that developers don’t want to use these testing techniques, or that they don’t know they exist, it’s that there is a lot of “friction” when using them!

risk warning:

According to the “Notice on Further Preventing and Disposing of Hype Risks in Virtual Currency Transactions” issued by the central bank and other departments, the content of this article is only for information sharing, and does not promote or endorse any business and investment behavior. Engage in any illegal financial practice.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/web3-security-risks-daunting-how-should-we-respond/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-08-03 11:36
Next 2022-08-03 11:37

Related articles