3 infosec pros demystify Web3 security
Is the world of blockchain as intimidating as it sounds? Information security consultant Jackie Singh interviewed Web3 security practitioners to get their perspectives on the challenges and opportunities in securing these new internet technologies.
Interviews have been edited and condensed for clarity.
When my partner, Jason, unexpectedly received an offer to join an NFT marketplace startup as a senior software engineer this past December, it initially made me nervous.
Deciding to take on potentially unstable work in a new industry seemed daunting, especially as a family with young children.
My fears wore off with time, despite recent market volatility in the cryptocurrency space. Jason’s career pivot into Web3 has given me a window into a line of work characterized by enabling individual users, engineering open-source code via Github, collaborating publicly with third parties and establishing partnerships with NFT artists. It was a refreshing change from his previous job in the world of traditional finance!
The collective energy in the Web3 community has inspired me. But as an infosec professional, I’ve also had questions about widespread scams, the risks of “techno-solutionism” and the massive breaches that have dogged Web3’s rise.
“Many Web3 developers prioritize security in their development process to help prevent security vulnerabilities, which is great, but there’s more work to do,” Robert Wallace, a senior director at cybersecurity company Mandiant, told README. “Prevention is what you aim for, but detection is what you must perfect. It would be great to see more research around threat detection and response in Web3.”
Wallace has responded to security incidents at various Web3 companies over the years alongside his team of consultants. He pointed out that hackers exploiting smart contracts have brought about some of the largest decentralized finance or “DeFi” hacks to date.
“Another challenge is attacks on Web3 developers who may not have a security team watching their back (or their endpoints, network and cloud systems),” Wallace said. “This has led to stolen keys which has resulted in huge thefts at not just Web3 companies but also centralized exchanges.”
I asked three experts with experience in Web3 security to share some of their insights on the fast-moving technology and decode their day-to-day work.
Here’s what they said:
Miles Nolan is a Senior Blockchain Security Analyst at Kudelski Security, a cybersecurity company with a burgeoning blockchain practice.
Miles works in Atlanta on a hybrid schedule. To keep his work/life balance on track, Miles engages in exercise, mindfulness meditation, yoga, and skateboarding. Additionally, as a member of the Emerging 100 Black Men of Atlanta, Miles volunteers to support underserved youth from local communities.
What do you and your team do at Kudelski Security?
Miles: I work within Kudelski’s application security team as a blockchain security analyst. We primarily audit both web application and smart contract code for vulnerabilities. I personally work on smart contract audits/reviews.
How did you get started in Web3?
Miles: I gained an interest during my junior year of college. I was getting a degree in [Management Information Systems], which is a combination of IT and business. This was in 2017 where Bitcoin had its crazy “bull run” and DeFi really started to make noise. My passion for both technology and finance plus the crazy hype led me to jumping in the space and soaking up whatever knowledge I could.
What is a typical day like for you?
Miles: I am what most people in the space refer to as a “smart contract auditor.” I spend most of my time reviewing smart contract code for vulnerabilities. On a typical workday, I spend the first hour of my day reviewing/writing code that’s not related to a project I’m auditing. This helps me warm up. I’ll spend the next hour reviewing documentation related to the chain I’m working with. Things in Web3 change daily, so I have to stay in the know. For the remaining hours of the day, I’m reviewing smart contract code for all sorts of bugs.
What are some of the challenges you have faced in this field?
Miles: Web3 moves insanely fast, and when I first jumped in it felt like I was always playing catch-up. This type of movement can be discouraging and at times I struggled with choosing to give it up in order to retain my sanity.
Are there any specific technical capabilities provided by blockchain or other Web3 tech which make the infosec mission easier or more difficult?
Miles: While there’s so much greatness to highlight, I have to note a major pain point. Blockchain has introduced a playing field where attackers can actually profit SIGNIFICANTLY by carrying out exploits. In the Web2 world, attackers could shut down a major service, steal some data, sell malware/0-days, etc. While that could be profitable and cause a loss of funds to other parties, it’s not worth the time and the risk for carrying out these types of malicious acts.
In the Web3 world, attackers can steal $300 million plus from one exploit alone. Distributed ledger technologies inherently create these new kinds of risk for security pros to tackle.
Katelyn Perna is Vice president of Security Strategy and Digital Asset Custody at BlockFi, a U.S.-based cryptocurrency exchange that provides various types of financial products including lending and credit cards.
While her company is based in New York City, Katelyn works from her home office in Atlanta. To support her work/life balance, she works outside, takes walks, and conducts mindful meditation. Besides her work at BlockFi, Katelyn also loves travel, fashion, photography, generative art, volunteering, and occasionally taking on consulting projects.
Can you give us an overview of your current role?
Katelyn: As BlockFi’s VP of Security Strategy and Digital Asset Custody, I am responsible for building out our security programs.
The Security and Digital Asset Custody team is primarily responsible for BlockFi’s native crypto technology and security. We have very unique and specialized skill sets spanning across cybersecurity, crypto asset security, and custodial solutions, covering a wide range of digital assets. We specialize in crypto asset security, cryptography, key management, on chain protocols, traditional cybersecurity, and Web3 security.
What do you and your team focus on?
Katelyn: These days, I primarily focus on crypto security and platforms. My typical day is heavy on the crypto side of things and can be anything from analyzing assets and various on-chain protocols, working with threat intel for crypto attacks, building technology and solutions for asset storage, custody and key management, analyzing smart contract vulnerabilities, and everything in between.
How did you get started in Web3? What drew your interest?
Katelyn: Prior to Web3/blockchain, most of my background was in traditional cybersecurity. I first learned about crypto in 2016 and was quickly hooked. I was in the Bay Area at the time working in cyber for big tech and banking companies and I quickly realized there were much needed improvements for financial services more broadly.
I saw so much potential for blockchain technology and cryptocurrency in both tech and banking to empower society to control their data and their money with fewer third-party intermediaries and I wanted to be a part of it. Additionally, these problems are HARD. It is not easy to build new money, platforms, and culture. It is even harder to do it safely and securely. I was mostly intrigued by the possibilities and how different society could look when we focus on putting the power and control in the hands of the consumer. I told myself I would spend the next 5 years working in blockchain/crypto and was just going to see how it went.
I was working for a big consulting firm at the time and found out who was running the crypto practice. There was one person they had tasked to “do something with crypto” so I pitched myself and moved to NYC to help start the blockchain practice for the firm. That was just the beginning and I can’t imagine working on anything else. There is still so much more to do!
What are some of the challenges you have faced in this field?
Katelyn: One of the challenges is that this is a totally nascent technology. Blockchain and crypto have not been around that long and to think about firms that have billions under management brings a ton of responsibility and gravity to the security of these firms. In general I think technical talent, especially on the security side, can be difficult to find.
Further challenges include:
- General lack of education and awareness in the space across end users and institutions creates a huge knowledge gap in tech as well as security.
- The true level of security and diligence that securing billions of dollars requires. There are no shortcuts. Security can vary based on the asset and the underlying protocol. This requires intense diligence and review for asset support.
- Blockchain interoperability and security is challenging, especially regarding smart contract logic and key management. Node management and securing nodes in a scalable way is also a major challenge.
- Insider threat can be more difficult to manage given the openness and decentralized nature of crypto.
What is the most satisfying part of your work? What motivates you to continue?
Katelyn: The most satisfying part of my work is solving hard, complex, technical problems. I think it is pretty cool to be solving for solutions that do not currently exist but are essential to the crypto ecosystem in the future. I enjoy knowing that the work we do today in this space will make a difference going forward. It is important to build what can endure the ever-changing landscape.
Are there any specific technical capabilities provided by blockchain or other Web3 tech which make the infosec mission easier or more difficult?
Katelyn: The transition from Web2 to Web3 brings a huge shift in the mindset around security culture. We are going from having someone (banks, tech, etc.) do everything for us — all we had to manage was a password and maybe 2FA.
Web3 is not that. If you didn’t know what you were doing in Web2, Web3 will be worse. Being your own bank sounds good (and it is) but you have to do the work. You have to understand how to manage wallets, private keys, etc. and you have to think about your own personal security and safety.
For CeFi/institutions this is 10x. [CeFi, or centralized finance, aims to offers similar yield benefits to DeFi with the ease of use and security of traditional finance.] Rug pulls, airdrop scams, advanced and targeted phishing attempts on Web3 ecosystems will only advance. Despite popular belief, security is not built in. All the same rules for Web2 security still apply in Web3. Web3 security issues are just added on to what we already deal with.
What would you say to infosec pros who dislike blockchain technologies?
Katelyn: Blockchain technology is not new in any way. It used the same technology that has been around for decades in a different way. It enables more self-sovereignty and distributed applications. That is a good thing. No one company or person should ever have all your data or money or anything really. It is a huge disruption to current models, but again, that is a good thing.
Security should always be an enabler. Technology can do a lot of things and as security professionals, we should do our best to enable it and ensure it can be used as safely as possible. Ask the hard questions, try to break something and then make it better.
What is the single most important piece of advice you would give to infosec pros who are interested in Web3?
Katelyn: Ask questions, and never take anything at face value. Do your own research. Just because someone says it is true, doesn’t make it true. No one has all the answers and no one knows everything there is to know. Challenge yourself and everyone you meet. The industry needs it.
Bobby Tonic is a security engineer at a San Francisco digital payments company. He was previously a consultant at the New York City-based security firm Trail of Bits, where he led and participated in teams that performed complex security audits.
Bobby works out of his home office in New York City. Outside of work, he’s typically on the hunt for new coffee spots and spends a decent amount of time (and money) finding quality roasters and new ways to brew coffee. He also pursues interdisciplinary studies as a student of clinical psychology with a focus on behavioral forensics.
What are some of the biggest challenges facing Web3 organizations?
Bobby: Prior to my current role, I engaged with a wide variety of Web3 organizations. I’ve found that they often struggle with challenges similar to those in more traditional organizations. Of these challenges, understanding the intricacies of technologies used within their systems implementation, as well as being able to ensure the correctness of their application’s design were the two most notable.
For Web3 organizations, failure to tackle these challenges successfully can have catastrophic consequences, as the methods available to recover from an exploited insecurity are often minimal, and the source code for their systems and applications are often readily available for attackers to review.
As a result, it’s become a common theme (and in some environments, an unofficial expectation) for Web3 organizations to develop their application and its infrastructure, and submit it to a third-party security research firm for review. This gives assurances to the organization that the implementation and design have been tested in an adversarial nature, and shows due diligence by the organization for its future customers.
What infosec research is most needed in Web3 today?
Bobby: From my perspective, the most impactful research infosec can focus on to mature Web3 is ergonomics of the primitives used to build and test Web3 systems and applications. By reducing the amount of time engineers have to stop and consider the security posture of an implementation, we are able to empower a greater focus on secure design, and enable faster subsequent development.
With the adoption of languages such as Go and Rust, many developers appreciate how the ergonomics of these languages force them to have to “put effort into doing a bad thing,” unlike in other languages such as C/C++ where it is often accidental.
Similar trends are also visible with framework usage. Making it difficult to misuse a framework is extremely important in helping to protect systems and applications using it.
Ultimately, developers want to use these frameworks because it helps them develop faster. The ergonomics often found within common unit and integration testing frameworks are solid! However, when it comes to tools used for more “advanced” testing techniques, they tend to be less ergonomic. Many of these tools do not integrate well with standard unit and integration testing suites, forcing developers to go out of their way to use them.
Furthermore, they often require a developer to implement boilerplate for the system under test (e.g. a “harness”), resulting in time spent setting up the system for testing, as opposed to actually developing tests with the tools. We see this across a wide variety of testing techniques, such as fuzzing, property testing, and in certain circumstances, more advanced formal verification and modeling. These ergonomics greatly dissuade most developers wanting to use these testing techniques in their day-to-day development workflows.
It’s not that developers don’t want to use these testing techniques, or that they are unaware that they exist, it’s that there is a lot of friction around using them!