TRAVIS BIEHN , TECHNICAL
STRATEGIST – RESEARCH LEAD AT SYNOPSYS
?
ecurity leaders
S need not dig deep to find excitement about enterprise Blockchain adoption in their organisations . It is often harder to untangle the motivations and value propositions of these technologies and the impact they will have on the systems of tomorrow . Like cloud before it , security leaders have initially taken a dim view of this space . Aside from academic work focusing on niche , yet important , parts of the technology , the industry still lacks comprehensive and fundamental frameworks that help to confront the new security challenges organisations face .
In our work at Synopsys , we have witnessed Blockchain technology evolve and fragment over the years . We have been commercially engaged with Blockchain technology since 2015 . In the first half of 2018 , we performed over 3,000 hours of threat modelling systems built around enterprise Blockchain platforms and even more in source code review and dynamic testing . Through such experience , I can report that the most crucial gaps in understanding the impact of Blockchain technology occur in four key areas :
Whole system
• Shared custody and operation – a component lifecycle that depends on cooperation with competitors
• Distributed systems engineering – a rare skill that is essential for risk analyses of all types
Software design
• Identity – throughout Blockchain components and requires mapping to higher-level systems . A common source of deep design security flaws
• Development libraries – absent , every team must develop from scratch and that means missing or rolling their own security controls . editor ’ s question
Authentication and authorisation are difficult and controls both in smart contracts and in upstream systems must be created
Data management
• Compliance with regulation and understanding how to thoughtfully minimise actual private data while still gaining the benefit of Blockchain components
Platforms
• Resources – use , metering and audits . These capabilities are not easily accomplished with new platforms
• New execution environments and ( sometimes ) languages – often pose challenges to tools and people
It is important to note that while decisions made close to Blockchain components have critical fault , they only make up a small fraction of issues . More importantly , architects and developers can make incorrect assumptions about properties provided by these platforms and those mistakes often lead to a large majority of exploitable issues .
The most widely used platforms are often difficult to configure and dangerous to expose to untrusted components . Businesses do not have their heads in the sand when it comes to this risk . They are taking a cautious approach to evaluation . It is during this period that security leaders should collaborate with system stakeholders , architects , developers , business leaders and operators . The goal of collaboration is to refine the security properties of the systems , develop processes for managing platform secrets and component lifecycles , and mature these capabilities of evaluation , prevention , detection and response over time .
Businesses rely on a broader ecosystem of tool and service vendors . With precious little expertise and accurate perspective in the market , I recommend inviting your vendors to the table to help them understand what your business is doing with the technology so they can be ready with solutions when you need them . www . intelligentciso . com | Issue 05
29