Importance of DevSecOps in blockchain, decentralized protocols and applications
Security has always been one of the most important aspects of information technology, and today many organizations and their developers adopt security first when building applications.
These principles and actions are often collectively described as ‘DevSecOps’, which encompasses the entire culture and approach to application security. DevSecOps stands for development, security and operation. It aims to embed a security-first mindset into all aspects of information technology and infrastructure.
One of the newest and most exciting markets in information technology is blockchain, which comes with a giant ecosystem of decentralized protocols and applications that aim to take us into an updated version of the web, what many refer to as web3.
What is web3 and what exactly is a decentralized application?
The term web3 encompasses various concepts that focus on aspects of application architecture and user experience:
– Decentralization
– Transparency
– Immutability
– Programmability
– Transparency
These core concepts aim to give users back control over their identity using public key cryptography and increase the use of peer-to-peer economics through various blockchain mechanics and protocols. Many blockchains and their surrounding protocols can process advanced transactions and manage state using smart contracts that execute in isolated virtualized environments.
These are then synchronized across all nodes on the network through a mechanism called a consensus algorithm. This is a mechanism that allows users or nodes to coordinate in a distributed setting to ensure that all nodes in the system can agree on a single source of truth, even if some agents fail. In addition, many blockchains operate in a censorship-resistant manner by keeping their protocols open and permissionless.
What does the landscape look like?
There is an inherent risk in a blockchain-based architecture because the backbone of the network is typically powered by a digital, token-based cryptocurrency and usually has a monetary value. These tokens are held in addresses, usually stored in externally held accounts or within smart contracts. And since trust is also distributed using public key cryptography, every address on the network is vulnerable to attack.
The balance of each account is distributed across the network on what is known as the public ledger, visible for all to see, leaving an open window for hackers to target specific users or contracts. This makes privacy and anonymity a particularly important aspect for blockchain. Often people who manage these accounts are either targets of attacks or are given too much trust and may act in an illegal manner.
– Social engineering
– Poorly managed trust or keys
– Embezzlement and fraud
– Fraud
In addition, the technology footprint of these various blockchain technologies, protocols and decentralized applications is already large and growing rapidly. Therefore, it is important to think about the security implications of this rapidly growing ecosystem. Anything built with a core concept of decentralization has an increased landscape and therefore more attack points that should be carefully analyzed and secured.
Here are some points worth considering when auditing the security of your decentralized applications and technology infrastructure:
– Layer 1 Blockchains (Bitcoin and Ethereum)
– Create 2 blockchains (sidechains and digest)
– Smart contracts
– Compilers
– Software wallets
– Hardware wallets
– Blockchain clients (miners and validators)
– Custody exchange (centralized)
– DeFi exchanges (decentralized)
– Providers
– Marketplaces (NFT)
Common attack vectors in smart contracts
When we talk about DevSecOps in the development life cycle of an application, we usually refer to security-driven development. This is also known as the act of moving safety to the left. It’s one of the most important aspects of the DevSecOps culture, because it starts with developers thinking about security as code. Since blockchain-based smart contracts can store value and act as a bank, this makes the code in them extra vulnerable to attack and they should be written with strict security in mind.
We’ve seen several hacks targeting smart contracts, and the vulnerabilities are usually focused on exploiting the code. One of the biggest hacks in history took place last year when Poly Network, a cross-chain protocol, reported that an attacker hacked a smart contract, transferring the equivalent of $610 million by moving various assets to remote wallet addresses controlled by the hacker.
There are many vulnerabilities in smart contract development, but some of the most frequent attacks are:
– Underflow and Overflow – Typically occurs when arithmetic operations cause unsigned integers to reach their maximum byte size, causing the value to “wrap around” and can cause unexpected behavior in the business logic of your application.
– Contract re-entry – The act of exploiting a contract by re-entering, where the attacker usually withdraws more money than should be allowed.
– Transaction Front Running – This refers to the process by which someone uses technology or market advantage to gain advance knowledge of upcoming transactions.
– Poorly managed secrets.
– Poorly implemented access control.
What can you do to level the playing field?
– Build a safety-first cultureDevSecOps concepts are a great starting point for organizations looking to build a security culture.
– Carry out audits. Audits provide a new perspective on application logic and operational processes, help reveal vulnerabilities in code, and build confidence in the users of your application. MythX and Slither are good tools for auditing Ethereum’s smart contracts.
– Offer bug bounties and conduct testing of pens from the public. Crowd sourced security is a proven method for strengthening your security footprint. By placing your company in bug bounty programs and performing penetration testing of your applications and infrastructure, you can stay ahead of vulnerabilities and hacks.
– Adopt an open source strategy. The openness of your application is important in a technology like blockchain because it allows participants to opt in based on the verification and revisions of your code. In addition, having components that are open source provides more accountability for your project in a community setting.
– Implement multi-signature for administrative operations. Implementing smart contracts that adopt a multi-signature architecture for administrative functions such as transfer of ownership, funds and other critical operations will add an extra layer of security to your application.
Conclusion
Blockchain, decentralized applications and the various protocols around them are growing rapidly. These new and exciting ways to deploy applications have the potential to disrupt many different industries. However, it is important that we focus on a security first and implement a DevSecOps culture where possible.
About the author
Kevin Jones is Senior Product Manager for NGINX at F5. F5 is a multi-cloud application services and security company committed to bringing a better digital world to life. F5 works with the world’s largest, most advanced organizations to optimize and secure every app and API anywhere, including on-premises, in the cloud or at the edge. F5 enables organizations to offer exceptional, secure digital experiences for their customers and continuously stay ahead of threats.
Further reading
The first step in anyone’s journey into blockchain should be to read the associated whitepaper for the protocol you are building on.
Bitcoin Whitepaper
Ethereum Whitepaper
You can then study past hacks and vulnerabilities, even going as far as trying to reproduce the hack in your development environment.
To get a hands-on learning experience for security on Ethereum, I recommend the following capture the flag (CTF) programs where vulnerabilities or “flags” are hidden in targeted vulnerable programs or websites to learn the basics of security.
OpenZeppelin: The Ethernaut
Catch the ether
Featured image: ©Siahei
