Compilation of the original text: black rice
Compilation of the original text: black rice
Is the world of Web3 and blockchain as daunting as it sounds? Jackie Singh, Chief Incident Response Officer for the Biden campaign and former Director of Incident Response at Intel, interviewed Web3 security practitioners to get their perspective on the challenges and opportunities of securing Web3 technologies.
When Jason, my partner at STOP, received an unexpected offer to join an NFT marketplace startup as a senior software engineer last December, I was initially nervous.
Deciding to take a potentially precarious job in a new industry can seem daunting, especially as a family with young children.
Despite the recent volatility in the cryptocurrency market, my concerns faded over time. Jason's career shift to Web3 has also allowed me to better understand his work, including license-free use for all users, designing open source code through Github, openly collaborating with third-party developers, and forming partnerships with NFT artists. It was a refreshing change from his previous work in traditional finance!
To be honest, I know that the Web3 community is strong, but as an information security professional, I also have questions about the widespread scams, the risks of "technical solutionism", and the large-scale illegal activities that hinder the rise of Web3.
"It's good that many Web3 developers are prioritizing security in their development process to prevent vulnerabilities, but more needs to be done," Robert Wallace, senior director at cybersecurity firm Mandiant, wrote in a readme. "Prevention is a prerequisite, but detection and auditing are also necessary. It's great to see more research on threat detection and response in Web3."
Over the years, Wallace has responded to security incidents at several Web3 companies with his team of consultants. He noted that hackers utilizing smart contracts have led to some of the largest “DeFi” hacks to date.
“Another challenge is attacks on Web3 developers who may not have a security team monitoring the system at all times,” Wallace said, “This could lead to key theft, leading to huge thefts from Web3 companies and even centralized exchanges. "
I asked three experts with experience in Web3 security to share some of their insights and explain what they do on a daily basis.
Miles Nolan is a senior blockchain security analyst at cybersecurity firm Kudelski Security, which also now includes blockchain in its business.
What do you and your team do at Kudelski Security?
Miles:
I work as a blockchain security analyst on Kudelski's application security team. We mainly audit Web3 applications and smart contract code for vulnerabilities. I personally work on smart contract audits/reviews.
How did you get started with Web3?
Miles:
I became interested in it during my junior year in college. I have a degree in "Management Information Systems". That was in 2017, Bitcoin had a crazy "bull market", and DeFi began to appear on a small scale. My passion for technology and finance combined with the insane hype led me to jump into the field and absorb whatever knowledge I could learn.
What is a day-to-day job like for you?
Miles:
I am what most people in the field refer to as a "smart contract auditor". I spend most of my time reviewing smart contract code for vulnerabilities. On a typical workday, I spend the first hour of the day reviewing/writing code unrelated to the project I'm auditing, which helps me warm up. I'll spend the next hour looking at documentation related to the blockchain I'm working with. Things are changing every day in Web3, so I have to stay informed. For the rest of the day, I'll be reviewing the smart contract code for various bugs.
What challenges do you face in this field?
Miles:
Web3 is moving so fast that when I first joined it felt like I was just playing catch-up.
Does blockchain or other Web3 technologies provide any specific technical capabilities that make information security tasks easier or more difficult?
Miles:
While there are many advantages to highlight, I must point out one pain point. Blockchain introduces a playing field where attackers can actually profit by executing exploits. In a Web2 world, an attacker could shut down a major service, steal some data, sell malware/0-days, etc., and while it might be profitable and cost other parties money, it's not worth the time and effort Take the risk of committing these types of malicious actions. But in a Web3 world, attackers can steal over $300 million from a single vulnerability. So distributed ledger technology inherently brings these new risks for security professionals to contend with.
Katelyn Perna is the Vice President of Security Strategy and Digital Asset Custody at BlockFi, a US-based cryptocurrency trading platform that offers a variety of financial products including loans and crypto credit cards.
Can you tell us about your current role?
Katelyn:
As BlockFi's VP of Security Strategy and Digital Asset Custody, I am responsible for building out our security program.
The Security Strategy and Digital Asset Custody teams are primarily responsible for ensuring the security of BlockFi's native encryption technology. The team has a very unique and specialized skill set spanning cybersecurity, blockchain technology, cryptocurrency security and custody, covering almost all digital assets. We specialize in cryptocurrency security, cryptography, key management, on-chain protocols, and Web3 security.
What does your team focus on?
Katelyn:
For a long time, my daily work has mainly focused on cryptocurrencies, which can be analyzing assets and various on-chain protocols, building technologies and solutions for asset storage, custody and key management, and analyzing smart contract vulnerabilities.
How did you get started with Web3? What piqued your interest?
Katelyn:
My background is traditional web security before Web3/Blockchain. I first learned about cryptocurrencies in 2016 and was instantly hooked. I was doing web work for large tech and banking companies at the time, and I quickly realized there was a need for improvement in traditional financial services.
I see the great potential of blockchain technology and cryptocurrencies in technology and banking to allow society to manage their own data and money with fewer third-party intermediaries, and I want to be a part of it. However, building new funds, platforms and cultures is not easy, let alone doing so safely and reliably. As we focus on putting power and control into the hands of users, I am most interested in the possibilities and the different "faces of society". I told myself that I would spend the next 5 years working in the blockchain/cryptocurrency space and see how it goes.
What challenges do you face in this field?
Katelyn:
One of the challenges is that this is a completely new technology. Blockchain and cryptocurrencies have not been around for a long time, and thinking about managing billions of dollars puts a huge responsibility on the security of these companies.
In general, I think technical talent, especially in security, is currently scarce in the Web3 space.
Further challenges include:
A general lack of education and awareness among users and institutions in the Web3 space has created a large knowledge gap in technology and security.
Ensure the true security you need to manage billions of dollars. There are no shortcuts. Security may vary by asset and underlying protocol. This requires rigorous investigation and due diligence.
Blockchain interoperability and security are challenging, especially when it comes to smart contract logic and key management. Managing nodes and securing nodes in a scalable manner is also a significant challenge.
Does blockchain or other Web3 technologies offer any specific technical capabilities that make information security easier or more difficult?
Katelyn:
The shift from Web2 to Web3 has brought about a massive shift in mindset around security, privacy.
In Web2, we're going to let someone (bank, technology, etc.) do everything for us - all we need to manage is a password and maybe 2FA.
Not so with Web3. Web3 will be worse if you don't know what you're doing in Web2. Managing your own assets and data yourself, i.e. being your own "bank", sounds good (and it is), but you have to learn the work: you have to know how to manage wallets, private keys, and you have to think about security.
For CeFi or institutions, this job needs to be 10x faster! (CeFi, or centralized finance, aims to provide benefits similar to DeFi through the ease of use and security of traditional finance.)
Additionally, airdrop scams and targeted phishing campaigns in the Web3 ecosystem will continue to evolve.
What would you say to an information security professional who doesn't like blockchain technology?
Katelyn:
Blockchain technology isn’t actually new, it’s just a fusion of different technologies that have been around for decades in different ways.
Web3 supports more autonomy and decentralized applications. This is a good thing. Because no single company should own all of the user's data or money or anything.
Safety is always the driving factor.
Technology can do many things, and as information security professionals we should do our best to ensure that it can be used as safely as possible.
What's the single most important piece of advice you would give an information security professional interested in Web3?
Katelyn:
Never judge anything just by its face. Just because someone says it's true doesn't make it true. No one has all the answers, and no one has everything. Challenge yourself and everyone you meet. The Web3 industry needs information security.
Bobby Tonic is a security engineer at a digital payments company. In the past, he was a consultant for security firm Trail of Bits, where he led teams that performed complex security audits.
What are the biggest challenges facing Web3 organizations?
Bobby:
Before assuming my current role, I have engaged with various Web3 organizations. I find that they often face similar challenges to traditional organizations. Among these challenges, understanding the intricacies of the technology used in the system and being able to ensure the correctness of its application design are two of the most noteworthy.
Failure to successfully address these challenges can have disastrous consequences for Web3 organizations, as attackers often have full access to the source code of their systems and applications at any time.
Therefore, it has become a consensus that Web3 organizations develop their applications and their infrastructure and submit them to third-party security research companies for review. Doing so promises customers that the design and implementation of the application has been adversarially tested, and demonstrates the organization's due diligence and accountability to its future customers.
What information security research is most needed for Web3 today?
Bobby:
In my opinion, the most influential research in information security for mature Web3 is testing Web3 systems and applications. As a third-party security personnel, instead of developers, we pay attention to the security aspects of the design, which will save time and speed up subsequent development work.
Additionally, Web3 typically requires developers to implement boilerplate for the system under test, causing them to spend time setting up the test system instead of actually developing the tests with the tool. We see this in various testing techniques like fuzzing, property testing. These issues greatly discourage most developers who wish to use these testing techniques in their daily development work.
According to the "Notice on Further Preventing and Dealing with the Risk of Hype in Virtual Currency Transactions" issued by the central bank and other departments, the content of this article is only for information sharing, and does not promote or endorse any operation and investment behavior. Participate in any illegal financial practice.
risk warning:
According to the "Notice on Further Preventing and Dealing with the Risk of Hype in Virtual Currency Transactions" issued by the central bank and other departments, the content of this article is only for information sharing, and does not promote or endorse any operation and investment behavior. Participate in any illegal financial practice.
