Blockchain Security Program
To be meaningful, blockchain security needs to go beyond point-in-time audits
and assessments.
How to Start
When building out a new security program, it’s most important to align on the objectives you want to accomplish. We’ve included recommended objectives below, but your team may want to add additional goals and values. Next, we suggest separating out your approach into 4 areas: Culture, Robustness, Operations and Response. Although each organization has different needs, we’ve included recommended controls and practices you can implement in each area. The most important aspect is recognizing this is a process, and no single assessment or audit alone can maximize the safety and security of your product.
PREPARE FOR AN ASSESSMENTThe Objective of a Blockchain
Company’s Security Program
-
1
Create products that are:
- Safe to use
- Implement expected behavior
- Robust against an attack
- Minimizes bugs and reduces attack surface
-
2
Responds to threats in case of attack to:
- Minimize the impact
- Minimize downtime
- Recover fast
- Maintain community trust
Four-Pillar Approach
We recommend dividing your security program into four pillars
of focus to make management, operations and measurement easier for your team.
Culture
Creating a culture that prioritizes security and sets up your organization for success. Start with defining your security strategy, and then ensure practices throughout your organization are aligned.
- Defined security strategy, policies, and procedures
- Defined roles and responsibilities for risk management
- Proper documentation
- Following community standards
- Threat modeling
- Secure SDLC practices
- Developer security education
Robustness
Building in robustness to your product creates a layer of controls to reduce the likelihood and impact of an attack against your organization. We emphasize practices to reduce vulnerabilities and ensure code matches intention.
- Security Architecture and Design Review
- Comprehensive Test Cases
- External Code and Logic Assessments before any major release
- All Web2 and Web3 components should be included
- Penetration Testing of Web2 components (and Web3 if it makes sense)
- Risk acceptance process with proper approval chains
- Defined Change management process
- Allow time for community commentary of an open source project
- Deployed Security Tooling integrated into CI/CD pipeline
Operations
Maintaining visibility and awareness of your product’s operations and security posture ensures your organization can respond to threats and minimize their impact.
- Realtime Monitoring for anomalous behavior
- Automated response process to mitigate attacks
- Official Bug Bounty Program
- Defined communications path for community engagement
- Confidential reporting of security issues
- Private, secured repository for security patches and issue tracking
Response
The likelihood your team is aware of vulnerabilities after your product launches is extremely high, if not a certainty. Without response mechanisms built into your product, your end users would be at risk.
- Secure upgrade path for on-chain and off-chain components
- Deployable countermeasures built into the contract
- We recommend conforming to community standards for your product, but at minimum be able to pause your contract to prevent further exploitation while you prepare a patch
- Create and test an Incident Response Plan
- Consider Cyber Insurance
- Establish partnerships with response providers before an incident
- Automated response capabilities on-chain and off-chain
-
Culture
Build in Security Foundations
Learn more >> -
Robustness
Build in Strengthening Measures
Learn more >> -
Operations
Build in Visibility Priorities
Learn more >> -
Response
Build in Threat/Breach Mitigation Activity
Learn more >>
Culture
Creating a culture that prioritizes security and sets up your organization for success. Start with defining your security strategy, and then ensure practices throughout your organization are aligned.
- Defined security strategy, policies, and procedures
- Defined roles and responsibilities for risk management
- Proper documentation
- Following community standards
- Threat modeling
- Secure SDLC practices
- Developer security education
Robustness
Building in robustness to your product creates a layer of controls to reduce the likelihood and impact of an attack against your organization. We emphasize practices to reduce vulnerabilities and ensure code matches intention.
- Security Architecture and Design Review
- Comprehensive Test Cases
- External Code and Logic Assessments before any major release
- All Web2 and Web3 components should be included
- Penetration Testing of Web2 components (and Web3 if it makes sense)
- Risk acceptance process with proper approval chains
- Defined Change management process
- Allow time for community commentary of an open source project
- Deployed Security Tooling integrated into CI/CD pipeline
Operations
Maintaining visibility and awareness of your product’s operations and security posture ensures your organization can respond to threats and minimize their impact.
- Realtime Monitoring for anomalous behavior
- Automated response process to mitigate attacks
- Official Bug Bounty Program
- Defined communications path for community engagement
- Confidential reporting of security issues
- Private, secured repository for security patches and issue tracking
Response
The likelihood your team is aware of vulnerabilities after your product launches is extremely high, if not a certainty. Without response mechanisms built into your product, your end users would be at risk.
- Secure upgrade path for on-chain and off-chain components
- Deployable countermeasures built into the contract
- We recommend conforming to community standards for your product, but at minimum be able to pause your contract to prevent further exploitation while you prepare a patch
- Create and test an Incident Response Plan
- Consider Cyber Insurance
- Establish partnerships with response providers before an incident
- Automated response capabilities on-chain and off-chain
-
Culture
Build in Security Foundations
Learn more >> -
Robustness
Build in Strengthening Measures
Learn more >> -
Operations
Build in Visibility Priorities
Learn more >> -
Response
Build in Threat/Breach Mitigation Activity
Learn more >>
We're here to help.
Security is a journey, not a destination. We are here to walk that journey with you. If you want help designing, operating or validating your blockchain security program reach out to us.