INSIGHTS / FOUR-STEPS-TOWARDS-BETTER-SECURITY
Four Steps Towards Better Security
Dr Jerome Rousselot
At Jita Advisory Services, we regularly perform security audits and technology reviews. Our clients leverage our long experience in blockchain digital and hardware wallets, financial services, smart phones, digital TV, electronic gaming machines and real time safety critical systems. The vast majority of the projects we worked on over the years reached production, in some cases reaching hundreds of millions of users. Security was always a critical requirement, from smart phones operating systems, pay TV streams copy protection, financial data integrity, and protecting human lives.
In the past six months we observed that some clients did not always get the maximum value from audits. We identified several reasons behind it: lack of familiarity with software security, not allocating enough time for the audit itself and later on to resolve the issues, postponing an audit until the very end of the development process, or selecting auditors purely on price, aiming for either the cheapest or sometimes for the most expensive ones.
This concern for smart contract security is shared outside our industry network: the 2018 Q2 Blockchain Sentiment Survey found that potentially buggy smart contracts is the most negative aspect of Ethereum today.
Many attempts are made to improve this situation: verifiable smart contract languages, both on Ethereum and on other blockchains like Zilliqa or ZenProtocol, smart contract libraries like Open Zeppelin and dapphub, and of course, tokenized solutions attempting to create market dynamics: solidified.io, nexusmutual.io, hacken.io and others.
These attempts are at various stages, and do not simplify the security process. The first half of these attempts is technology driven, and the other part is marketplace driven. Technology is important of course, but it is not always possible for an entrepreneur to wait for the latest new tech, or to throw away the legacy tech. Similarly, the marketplace efforts may succeed, but they are not ready yet, and like technology, they may have limitations.
Instead of a presenting an exciting new technology or innovative token economic model, in this series, we explain how we approach security as a process and the four steps we believe every team can follow to improve their products and later on, maximise the results of a security audit. We will discuss the following topics:
1. Knowing what you want (the business specifications): what is actually the correct software behaviour?
2. Architecture: what are the key components of the software products, why were they chosen and how are they interacting?
3. Get better value from your tools: are you getting all the value you could from the tools you are already using?
4. Testing: what is the best way to test your software?