When Jason, my partner at S.T.O.P., unexpectedly received an offer to join an NFT marketplace startup as a senior software engineer last December, I was nervous at first.
Deciding to work in a potentially unstable job in a new industry seemed daunting, especially as a family with young children.
Despite the recent volatility in the cryptocurrency market, my concerns faded over time, and Jason's career shift to Web3 has allowed me to learn more about his work, including license-free access for all users, designing open source code through Github, working openly with third-party developers, and building partnerships with NFT artists. It was a refreshing change from his previous work in traditional finance!
Truth be told, I know the Web3 community is strong and cohesive, but as an information security professional, I also have questions about the widespread fraud, the risk of "technical solutionism" and the massive lawlessness that has prevented Web3 from rising to prominence.
"It's great that many Web3 developers are prioritizing security in their development process to prevent vulnerabilities, but there's more work to be done," Robert Wallace, a senior executive at cybersecurity firm Mandiant, wrote in a self-reported paper, " Prevention is a prerequisite, but detection and auditing are also necessary. It's great to see more research on threat detection and response in Web3."
Over the years, Wallace has worked with his team of consultants to respond to security incidents at several Web3 companies. He noted that hacks using smart contracts have resulted in some of the largest hacks to date regarding "DeFi.
"Another challenge is attacks on Web3 developers who may not have a security team monitoring the system at all times," Wallace said, "which can lead to key theft, resulting in huge thefts from Web3 companies or even centralized exchanges. "
I asked three experts with experience in Web3 security to share some of their insights and explain their day-to-day work.
Miles Nolan is a senior blockchain security analyst at cybersecurity firm Kudelski Security, which now also includes blockchain in its business.
What do you and your team do at Kudelski Security?
Miles.
I work as a blockchain security analyst on Kudelski's application security team. We primarily audit Web3 applications and smart contract code for vulnerabilities. I personally work on smart contract audits/reviews.
How did you get started with Web3?
Miles.
I became interested in my third year of college. I got my degree in 'Management Information Systems'. It was in 2017 when there was a crazy "bull market" in Bitcoin and DeFi started popping up on a small scale. My passion for technology and finance combined with the crazy hype made me jump into the field and absorb whatever knowledge I could learn.
What is a typical day like for you?
Miles.
I'm what most people in the space call a "smart contract auditor". I spend most of my time reviewing smart contract code for bugs. On a typical work day, I'll spend the first hour of the day reviewing/writing code that is not related to the project I'm auditing, which helps me warm up. I will spend the next hour reviewing documentation related to the blockchain I am working with. things change daily in Web3, so I have to stay informed. For the rest of the day, I'll be reviewing various bugs in the smart contract code.
What are some of the challenges you face in this area?
Miles.
Web3 is evolving so fast that when I first joined, it felt like I was always playing catch-up.
Does blockchain or other Web3 technologies offer any specific technical capabilities that make the task of information security easier or more difficult?
Miles.
While there are many advantages to highlight, I must point out one pain point. Blockchain introduces a competitive environment where an attacker can actually profit from executing a vulnerability. In a Web2 world, an attacker could shut down a major service, steal some data, sell malware/0-days, etc. While this may be profitable and cause financial loss to other parties, it's not worth the time and risk to execute these types of malicious acts. But in the Web3 world, an attacker could steal more than $300 million from a single breach. So distributed ledger technology inherently brings these new risks for security professionals to deal with.
Katelyn Perna is vice president of security strategy and digital asset custody at BlockFi, a U.S.-based cryptocurrency trading platform that offers a variety of financial products including loans and crypto credit cards.
Can you tell us a little bit about your current role?
Katelyn.
As the Vice President of Security Strategy and Digital Asset Custody at BlockFi, I am responsible for building our security program.
The Security Strategy and Digital Asset Custody team is primarily responsible for ensuring the security of BlockFi's native cryptography. The team has a very unique and specialized mix of skill sets across cybersecurity, blockchain technology, cryptocurrency security and escrow, covering almost all digital assets. We specialize in cryptocurrency security, cryptography, key management, on-chain protocols, and Web3 security.
What does your team focus on?
Katelyn.
It has always been my day job to focus on cryptocurrencies, which can be analyzing assets and various on-chain protocols, building technologies and solutions for asset storage, escrow and key management, and analyzing smart contract vulnerabilities.
How did you get started with Web3? What piqued your interest?
Katelyn.
Prior to Web3/blockchain, my background was in traditional cybersecurity. I first learned about cryptocurrencies in 2016 and was quickly hooked. I was working in cyber for large tech and banking companies at the time, and I quickly realized that improvements were needed in traditional financial services.
I saw the huge potential of blockchain technology and cryptocurrencies in tech and banking to allow societies to manage their own data and money with fewer third-party intermediaries, and I wanted to be a part of that. However, building new funds, platforms and cultures is not easy, not to mention difficult to do safely and securely. As we focus on putting power and control in the hands of users, I am most interested in the possibilities and the different "social landscapes". I told myself I would work in the blockchain/cryptocurrency space for the next 5 years and see how it goes.
What are some of the challenges you face in the field?
Katelyn.
One of the challenges is that this is a completely emerging technology. Blockchain and cryptocurrencies haven't been around for very long, and think about the huge responsibility managing billions of dollars can bring to the security of these companies.
Overall, I think technical talent, especially in security, is scarce in the Web3 space right now.
Further challenges include
A general lack of education and awareness among users and organizations in the Web3 space, creating a huge knowledge gap in technology and security.
Ensuring the true security needed to manage billions of dollars. There are no shortcuts. Security can vary by asset and underlying protocol. This requires rigorous investigation and due diligence.
Blockchain interoperability and security is challenging, especially in terms of smart contract logic and key management. Managing nodes and protecting them in a scalable manner is also a major challenge.
Does blockchain or other Web3 technologies provide any specific technical capabilities that make information security easier or more difficult?
Katelyn.
The shift from Web2 to Web3 has brought about a huge shift in the way of thinking around security, privacy.
In Web2, we had to let someone (the bank, technology, etc.) do everything for us - all we had to manage was a password and maybe 2FA.
That's not the case with Web3. If you don't know what you're doing in Web2, Web3 is worse. Managing your own assets and data - being your own "bank" - sounds good (and it is), but you have to learn the work: you have to understand how to manage your wallet, your private keys, and you have to think about security.
For CeFi or institutions, this job needs to be improved 10 times! (CeFi, or centralized finance, aims to provide similar benefits to DeFi through the ease of use and security of traditional finance.)
In addition, airdrop scams and targeted phishing in the Web3 ecosystem will still continue to evolve.
What would you say to information security professionals who don't like blockchain technology?
Katelyn.
Blockchain technology isn't really new, it's just a different blend of a number of different technologies that have been around for decades.
Web3 supports more autonomy and decentralized applications. That's a good thing. Because no one company should own all of the user's data or money or anything.
Security is always the driving factor.
Technology can do a lot of things, and as information security people, we should do our best to make sure it can be used as securely as possible.
What is the single most important piece of advice you would give to an information security professional interested in Web3?
Katelyn.
Never judge anything on its face. Just because someone says it's true, doesn't make it true. No one knows all the answers, and no one knows everything. Challenge yourself and everyone you meet. web3 The industry needs information security.
Bobby Tonic is a security engineer for a digital payments company. In the past, he was a consultant for the security firm Trail of Bits, where he led the team that performed complex security audits.
What are the biggest challenges facing Web3 organizations?
Bobby.
Before taking on my current role, I was involved with a wide variety of Web3 organizations. I found that they often faced challenges similar to those of traditional organizations. Among these challenges, understanding the complexity of the technology used in the system and being able to ensure that their application design is correct are two of the most notable.
For Web3 organizations, failure to successfully address these challenges can have disastrous consequences, as attackers often have ready access to the source code of their systems and applications.
As a result, it has become a consensus for Web3 organizations to develop their applications and their infrastructure and submit them to third-party security research firms for review. Doing so promises customers that the design and implementation of the application has been tested against them and demonstrates the organization's due diligence and responsibility to its future customers.
What information security research is most needed for today's Web3?
Bobby.
In my opinion, the most impactful research in information security for mature Web3 is testing Web3 systems and applications. We, as third-party security personnel, take the place of developers to focus on the security aspects of the design, which saves time and speeds up subsequent development efforts.
In addition, Web3 often requires developers to implement prototypes for the system under test, resulting in time spent building test systems rather than actually developing tests with tools. We see this in a wide variety of testing techniques, such as fuzzing and attribute testing. These issues greatly dissuade most developers who wish to use these testing techniques in their daily development work.
It's not that developers don't want to use these testing techniques, or that they don't know they exist, but there is a lot of "friction" in using them!