Security has always been one of the most important aspects of information technology, and today many organizations and their developers adopt a security-first mindset when building applications. These principles and actions are often collectively described as ‘DevSecOps,’ which encompasses the entire culture and approach of application security. DevSecOps stands for development, security, and operations. It aims to embed a security-first mindset into all aspects of information technology and infrastructure.
One of the more recent and most exciting areas in information technology is blockchain, which comes with a giant ecosystem of decentralized protocols and applications that aim to take us into an updated version of the web, what many refer to as Web3.
The term Web3 encompasses various concepts that focus on aspects of application architecture and user experience:
These core concepts aim to give users back control of their identity using public key cryptography and grow the adoption of peer-to-peer economics through various blockchain mechanics and protocols. Many blockchains and their surrounding protocols can process advanced transactions and manage state using smart contracts that are executed within isolated virtualized environments.
These are then synchronized across all nodes on the network through a mechanism called a consensus algorithm. This is a mechanism that allows users or nodes to coordinate in a distributed setting to ensure that all nodes in the system can agree on a single source of truth, even if some agents fail. Additionally, many blockchains operate in a censorship-resistant way by keeping their protocols open and permissionless.
There is an added risk in a blockchain-based architecture because the backbone to the network is typically powered by a digital, token-based cryptocurrency and usually carries monetary value. These tokens are held in addresses, generally stored in externally owned accounts or within smart contracts. And since trust is also distributed with use of public key cryptography, each address on the network is prone to attack.
The balance for each account is distributed across the network on what is known as the public ledger, visible for anyone to see, which leaves an open window for hackers to target specific users or contracts. This makes privacy and anonymity a particularly important aspect for blockchain. Often, humans managing these accounts are either targets of attack or are enabled through their position to act in an illicit way, with threats including:
Additionally, the technology footprint of these various blockchain technologies, protocols, and decentralized applications is already large and is growing fast. Therefore, it is important to think about the security implications of this fast-growing ecosystem. Anything that is built with a core concept of decentralization has an increased landscape and therefore more attack points that should be carefully analyzed and secured.
Here are a few topics that are worth considering when auditing the security of your decentralized applications and technology infrastructure:
When we talk about DevSecOps in the development lifecycle of an application, we typically refer to security driven development. This is also commonly known as the act of shifting security left. It is one of the most important aspects of the DevSecOps culture, because it starts with developers thinking about security as code. Since blockchain-based smart contracts can store value and act as a bank, this makes the code within them extra vulnerable to attack and they should be written with strict security in mind.
The industry has seen several hacks targeting smart contracts around vulnerabilities, usually focused on exploiting the code. One of the biggest hacks in history took place last year when Poly Network, a cross-chain protocol, reported that an attacker hacked a smart contract, transferring the equivalent of US $610 million by moving various assets to external wallet addresses controlled by the hacker.
There are many vulnerabilities of smart contract development, but some of the most frequent attacks are:
Blockchain, decentralized applications and the various protocols surrounding them are growing quickly. These new and exciting ways of deploying applications have the potential to disrupt many different industries. However, it is imperative that we focus on a security-first mindset and implement a DevSecOps culture wherever possible.
A good first step in anyone's journey into blockchain is the associated whitepaper for the protocol you are building on:
Next, study previous hacks and vulnerabilities, even going as far as to try and reproduce the hack in your development environment.
To get a hands-on learning experience for security on Ethereum, I recommend the following capture the flag (CTF) programs in which vulnerabilities or ‘flags’ are hidden in purposefully vulnerable programs or websites to teach fundamentals of security.