Blockchain Security Program
To be meaningful, blockchain security needs to go beyond point-in-time audits
and assessments.
The Objective of a Blockchain
Company’s Security Program
-
1
Create products that are:
- Safe to use
- Implement expected behavior
- Robust against an attack
- Minimizes bugs and reduces attack surface
-
2
Responds to threats in case of attack to:
- Minimize the impact
- Minimize downtime
- Recover fast
- Maintain community trust
Four-Pillar Approach
We recommend dividing your security program into four pillars
of focus to make management, operations and measurement easier for your team.
Culture
Creating a culture that prioritizes security and sets up your organization for success. Start with defining your security strategy, and then ensure practices throughout your organization are aligned.
- Defined security strategy, policies, and procedures
- Defined roles and responsibilities for risk management
- Proper documentation
- Following community standards
- Threat modeling
- Secure SDLC practices
- Developer security education
Robustness
Building in robustness to your product creates a layer of controls to reduce the likelihood and impact of an attack against your organization. We emphasize practices to reduce vulnerabilities and ensure code matches intention.
- Security Architecture and Design Review
- Comprehensive Test Cases
- External Code and Logic Assessments before any major release
- All Web2 and Web3 components should be included
- Penetration Testing of Web2 components (and Web3 if it makes sense)
- Risk acceptance process with proper approval chains
- Defined Change management process
- Allow time for community commentary of an open source project
- Deployed Security Tooling integrated into CI/CD pipeline
Operations
Maintaining visibility and awareness of your product’s operations and security posture ensures your organization can respond to threats and minimize their impact.
- Realtime Monitoring for anomalous behavior
- Automated response process to mitigate attacks
- Official Bug Bounty Program
- Defined communications path for community engagement
- Confidential reporting of security issues
- Private, secured repository for security patches and issue tracking
Response
The likelihood your team is aware of vulnerabilities after your product launches is extremely high, if not a certainty. Without response mechanisms built into your product, your end users would be at risk.
- Secure upgrade path for on-chain and off-chain components
- Deployable countermeasures built into the contract
- We recommend conforming to community standards for your product, but at minimum be able to pause your contract to prevent further exploitation while you prepare a patch
- Create and test an Incident Response Plan
- Consider Cyber Insurance
- Establish partnerships with response providers before an incident
- Automated response capabilities on-chain and off-chain
-
Culture
Build in Security Foundations
Learn more >> -
Robustness
Build in Strengthening Measures
Learn more >> -
Operations
Build in Visibility Priorities
Learn more >> -
Response
Build in Threat/Breach Mitigation Activity
Learn more >>
Culture
Creating a culture that prioritizes security and sets up your organization for success. Start with defining your security strategy, and then ensure practices throughout your organization are aligned.
- Defined security strategy, policies, and procedures
- Defined roles and responsibilities for risk management
- Proper documentation
- Following community standards
- Threat modeling
- Secure SDLC practices
- Developer security education
Robustness
Building in robustness to your product creates a layer of controls to reduce the likelihood and impact of an attack against your organization. We emphasize practices to reduce vulnerabilities and ensure code matches intention.
- Security Architecture and Design Review
- Comprehensive Test Cases
- External Code and Logic Assessments before any major release
- All Web2 and Web3 components should be included
- Penetration Testing of Web2 components (and Web3 if it makes sense)
- Risk acceptance process with proper approval chains
- Defined Change management process
- Allow time for community commentary of an open source project
- Deployed Security Tooling integrated into CI/CD pipeline
Operations
Maintaining visibility and awareness of your product’s operations and security posture ensures your organization can respond to threats and minimize their impact.
- Realtime Monitoring for anomalous behavior
- Automated response process to mitigate attacks
- Official Bug Bounty Program
- Defined communications path for community engagement
- Confidential reporting of security issues
- Private, secured repository for security patches and issue tracking
Response
The likelihood your team is aware of vulnerabilities after your product launches is extremely high, if not a certainty. Without response mechanisms built into your product, your end users would be at risk.
- Secure upgrade path for on-chain and off-chain components
- Deployable countermeasures built into the contract
- We recommend conforming to community standards for your product, but at minimum be able to pause your contract to prevent further exploitation while you prepare a patch
- Create and test an Incident Response Plan
- Consider Cyber Insurance
- Establish partnerships with response providers before an incident
- Automated response capabilities on-chain and off-chain
-
Culture
Build in Security Foundations
Learn more >> -
Robustness
Build in Strengthening Measures
Learn more >> -
Operations
Build in Visibility Priorities
Learn more >> -
Response
Build in Threat/Breach Mitigation Activity
Learn more >>
We're here to help.
Security is a journey, not a destination. We are here to walk that journey with you. If you want help designing, operating or validating your blockchain security program reach out to us.