Blockchain circle

One stop hot information platform

About us:

Blockchain circle provides the latest information about blockchain, digital currency, digital wallet, exchange, metauniverse, bitcoin, Ethereum, contract, financial management and so on, and always pays attention to the latest market...

Right line, the security risk is daunting? How should we respond?

Time : 26/10/2021 Author : z60cvn Click : + -
        Is the world of Web3 and blockchain as daunting as it sounds? Jackie Singh, chief event response officer of Biden campaign and former Intel event response director, interviewed Web3 security practitioners to understand their views on the challenges and opportunities of protecting Web3 technology. Last December, when Jason, my partner in s.t.o.p company, unexpectedly received an invitation to join the NFT market startup as a senior software engineer, I was very nervous at first. Despite the recent fluctuations in the cryptocurrency market, my concerns have disappeared over time. Jason's career shift to Web3 has also helped me understand more about his work, including the unlicensed use of all users, the design of open source code through GitHub, the open cooperation with third-party developers and the establishment of partnership with NFT artists.
        Compared with his previous work in the traditional financial field, this is a refreshing change!. The solid line community has strong cohesion, but as an information security professional, I also have questions about the risks of widespread fraud, "technology solutionism" and large-scale illegal acts that hinder the rise of Web3. "Many Web3 developers give priority to security in their development process to prevent vulnerabilities, which is good, but more work needs to be done," Robert Wallace, senior director of mandiant, a network security company, wrote in a readme. "Prevention is the premise, but inspection and audit are also necessary.
        I'm glad to see more research on threat detection and response in Web3. ". Over the years, Wallace has worked with his consulting team to deal with security incidents of several Web3 companies. He pointed out that hackers using smart contracts have brought some of the largest hacking attacks on "defi" to date. "Another challenge is to attack Web3 developers, who may not have a security team to monitor the system at all times," Wallace said. "This may lead to the theft of keys, leading to massive theft of Web3 companies and even centralized exchanges.". 1. Milesnolan is a senior blockchain security analyst of kudelski security, a network security company, which currently includes blockchain in its business scope.
        I work as a blockchain security analyst in kudelski's application security team. We mainly audit vulnerabilities in Web3 applications and smart contract code. I am personally engaged in smart contract audit / review. I became interested in it in my third year of college. I received a degree in management information system. That was in 2017, there was a crazy "bull market" in bitcoin, and defi began to appear in a small scale. My passion for technology and finance, coupled with crazy speculation, led me to jump into this field and absorb any knowledge I could learn. I am what most people in this field call "smart contract auditor". I spent most of my time reviewing vulnerabilities in the smart contract code.
        On a typical workday, I will review / write code unrelated to the project I am auditing in the first hour of the day, which helps me warm up. I will check the documents related to the blockchain I am using in the next hour. Things in Web3 change every day, so I have to keep understanding. For the rest of the day, I will always review the errors in the smart contract code. Although there are many advantages to be emphasized, I must point out a pain point. The blockchain introduces a competitive environment, and attackers can actually profit by executing vulnerabilities. In the web2 world, attackers can shut down a major service, steal some data, sell Malware / 0-days, etc. Although this may be profitable and cause financial losses to other parties, it is not worth spending time and taking risks to implement these types of malicious acts.
        But in the Web3 world, an attacker can steal more than $300 million from a single vulnerability. Therefore, distributed ledger technology inherently brings these new risks to security professionals to deal with. 2. Katelyn Perna is the vice president of security strategy and digital asset custody of blockfi, a US based cryptocurrency trading platform that provides a variety of financial products including loans and encrypted credit cards. The security strategy and digital asset management team is mainly responsible for ensuring the security of blockfi native encryption technology. The team has a very unique and professional combination of skilled personnel, covering network security, blockchain technology, cryptocurrency security and trusteeship, covering almost all digital assets.
        We focus on cryptocurrency security, cryptography, key management, chain protocol and Web3 security. For a long time, my daily work has mainly focused on cryptocurrency, which can be the analysis of assets and various chain protocols, the construction of technologies and solutions for asset storage, custody and key management, and the analysis of smart contract vulnerabilities. Before Web3 / blockchain, my background was traditional network security. I first learned about cryptocurrency in 2016, and was soon fascinated. At that time, I was engaged in network work for large-scale technology and banking companies. I soon realized that traditional financial services needed to be improved. I have seen the great potential of blockchain technology and cryptocurrency in technology and banking industry, which can enable the society to manage their own data and funds through fewer third-party intermediaries. I want to be one of them.
        However, it is not easy to establish new funds, platforms and cultures, let alone to do so safely and reliably. When we focus on handing power and control to users, I am most interested in various possibilities and different "social faces". I told myself that I would work in the blockchain / cryptocurrency field in the next five years, and then see how the situation is. One of the challenges is that this is a completely new technology. Blockchain and cryptocurrency haven't been around for a long time. Think about how managing billions of dollars will bring huge responsibility to the security of these companies. Ensure the true security needed to manage billions of dollars.
        There is no shortcut. Security may vary by asset and underlying protocol. This requires rigorous investigation and due diligence. Blockchain interoperability and security are challenging, especially in smart contract logic and key management. Managing and protecting nodes in a scalable manner is also a major challenge. In web2, we want someone (bank, technology, etc.) to do everything for us & mdash& mdash; All we need to manage is a password and perhaps 2fa. Web3 is not. If you don't know what you are doing in web2, Web3 will be worse. Managing your own assets and data, that is, becoming your own "bank", sounds good (and it is true), but you must learn these jobs: you must understand how to manage your wallet and private key, and you must consider security.
        For cefi or institutions, this work needs to be improved 10 times! (cefi, i.e. centralized finance, aims to provide similar benefits to defi through the ease of use and security of traditional finance.). Web3 supports more autonomy and decentralized applications. This is a good thing. Because no company should have all the data or money or anything of users. Never judge anything on the surface. Just because someone says it's true doesn't make it true. No one knows all the answers, and no one knows everything. Challenge yourself and everyone you meet. The Web3 industry needs information security.
        3. Bobby tonic is a security engineer for a digital payment company. In the past, he was a consultant to trailofbits, a security company, where he led a team to perform complex security audits. Before taking up my current position, I had contact with various Web3 organizations. I find that they often face similar challenges to traditional organizations. Among these challenges, understanding the complexity of the technology used in the system and ensuring the correctness of its application design are the two most noteworthy. For Web3 organizations, failure to successfully address these challenges can have disastrous consequences, as attackers can often view the source code of their systems and applications at any time.
        Therefore, it has become a consensus that Web3 organizations develop their applications and infrastructure and submit them to third-party security research companies for review. Doing so can promise the customer that the design and implementation of the application has been tested confrontationally, and show the organization's due diligence and responsibility to its future customers. In my opinion, for mature Web3, the most influential research on information security is to test Web3 systems and applications. As a third-party security personnel, we focus on the security aspects of the design instead of the developers. This will save time and speed up the follow-up development work. In addition, Web3 usually requires developers to implement templates for the system under test, which leads them to spend time establishing the test system instead of actually developing tests with tools.
        We can see this in various testing technologies, such as fuzziness and attribute testing. These problems greatly discourage most developers who want to use these test technologies in their daily development work. It's not that developers don't want to use these test technologies, or they don't know their existence, but there are a lot of "friction" when using them!. According to the notice on further preventing and dealing with the risks of speculation in virtual currency transactions issued by the central bank and other departments, the contents of this article are only for information sharing, and no promotion and endorsement of any business and investment activities are required. Readers are requested to strictly abide by the laws and regulations of their respective regions and not participate in any illegal financial activities.
Previous:Another fraud case in the science and technology circle, with a total amount of 7.771 million people, became the largest leek this year
Next:No more

Related articles:

© 2005-2032 | Blockchain Circle & & All Rights Reserved    Sitemap1 Sitemap2 If there is infringement, please contact us at: