Security as We Know It (or Do We?)
Cybersecurity Strategies Web3 Can Borrow from Web2
In my last piece, I introduced parallels between Web2 and Web3 fundamentals. In this piece, I will dive into a crucial aspect of the system: security, and will specifically discuss two areas top of mind with regards to enterprise security in Web3: application security and DevSecOps.
Some Web3 people like to poke fun at classic Web2 enterprise investors like me for only being interested in “real world applications.” But it’s actually an instinct that serves me well in Web3. When I think about the future of security in Web3, it’s actually not that different from what we already know about application security (AppSec) and DevSecOps.
Although Web3 in general feels like the wild west to many of us, the security needs in this space aren’t that far from those we already have in Web2. Blockchain-based technology has distinct security concerns, yes. But by building on our existing knowledge in application security and DevSecOps, we can proactively identify key threats in Web3 security and seek solutions.
In this article, I will discuss what you need to think about if you are trying to build in this space:
- AppSec vs DevSecOps
- The zero-day exploit problem
- The double-edge sword of interoperability
AppSec vs DevSecOps: a comparison
AppSec (application security) encompasses all security measures deployed at the application level to ensure that an application and its contents are safe from attacks. Application security includes everything from assessing cyber risks to monitoring and auditing the tech stack.
DevSecOps, on the other hand, is an approach that integrates security at every stage of development infrastructure, instead of separating security into a siloed process for identifying vulnerabilities and monitoring them.
Most traditional enterprises have moved towards the DevSecOps model where application security is a part of the end-to-end process. In this way, security becomes a frictionless and continuous part of the development cycle.
AppSec’s hot button issue: zero-day exploits
In early 2020, cybercriminals attacked the built-in PostgreSQL database server of the Sophos firewall. This was a textbook zero-day exploit — the thing that Web2 companies fear most. It happens when hackers identify a vulnerability in the software before the developers have a chance to patch it. Developers often use automated penetration tests to help identify these vulnerabilities.
Now we’re seeing zero-day exploits in the Web3 world as well, like Poly’s cross-chain transactions vulnerability and Qubit’s unlimited minting bug. Because of the low visibility of all connections on the blockchain, zero-day exploits are even harder to manage in Web3.
Would the traditional penetration tests that work for Web2 be the answer for Web3? I don’t think so. Web3 does not have the same application logic and data layer that exists in Web2. That’s because Web3 is built on the blockchain, with network nodes and smart contracts that manage the flow of data.
Why is this important? Web3 applications are built like Legos on top of each other. Each of these components is open and can be accessed without permission from smart contracts or end users. This type of dependency on a variety of pieces makes application security very important. Exploit scenarios and vulnerability analysis are even more complex — and essential.
Certik, Forta, Halborn, and Securify are the Web3 versions of code scanning and application security testing tools originally developed for Web1 and Web2 applications.
The double-edge sword of interoperability for DevSecOps
In my previous article, I discussed how new gatekeepers in Web3 need new locks, as more endpoints are involved in Web3 applications. In Web2, CI/CD players such as CircleCI, Harness, ArgoCD and others help enterprises protect their infrastructure end-to-end. In Web3, because the number of nodes and protocols to use are limitless, finding a so-called CI/CD solution for Web3 is still an open question.
Interoperability in Web3 is the biggest issue, as applications interact with numerous open protocols that are not secure. Protecting data in individual protocols is a massive security concern.
The cybersecurity solutions in Web2 mainly involve testing product pre-deployment and blocking the network in case of a threat. This does not work for web3. Because it is difficult to alter networks after deployment in Web3, the blockchain systems in Web3 require testing and monitoring of the smart contract code before deployment. As a result, smart monitoring solutions are needed and we will certainly hear more in the near future, as startups in this space are mainly in stealth mode at the moment.
Is security as we know it about to change?
This is the big question. It’s clear that blockchain technologies require increasingly complex security strategies. New companies with fresh solutions will rise up to meet these challenges. At the same time, some of the problems aren’t new. And we already have processes like AppSec and DevSecOps to address them. If founders can build new web3 solutions building on our existing knowledge, we can all proactively protect ourselves against the biggest security threats in Web3.
The concerns we discussed in this article are mainly from the developer perspective. My next article will discuss security concerns from the perspective of end users and how founders can consider those pain points to develop new solutions.
