SlideShare une entreprise Scribd logo

Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards

SecuRing
SecuRing

1) The document discusses decentralized applications (dApps) and compares their security to web applications. 2) dApps have some security advantages like being undestroyable and transactions being cryptographically signed. However, expectations of their security do not always match reality due to vulnerabilities. 3) The document introduces SCSVS, the Smart Contract Security Verification Standard, which provides a checklist similar to OWASP ASVS for securing dApps across the entire software development lifecycle.

Logiciels
1  sur  57
Télécharger pour lire hors ligne
www.securing.pl Damian Rusinek Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards OWASP AppSec Global Amsterdam 2019 26th of September 2019
www.securing.pldrdr_zz Damian Rusinek @drdr_zz damianrusinek @ github • Pentester • Researcher • Focused on blockchain and smart contracts Security Researcher & Pentester Assistant Professor Introducing Decentralized Applications by analogy to Web Apps https://bit.ly/2kpfKkm Last year on AppSec EU London
www.securing.pldrdr_zz Web 3.0 They are using Decentralized Applications or Platforms
www.securing.plwww.securing.pl Decentralized Apps And why are they becoming important? WHAT IS IT?
www.securing.pldrdr_zz What are Decentralized Applications? • Decentralized Application are like Web Applications with decentralized storage and governance. • Web Apps • Facebook • Reddit • Decentralized Apps • Steemit (a kind of decentralized Reddit)
www.securing.pldrdr_zz Why are Decentralized Applications important? • There exist great projects already: • Augur (decentralized oracle and prediction market), • Gnosis (prediction platform), • MakerDAO (decentralized finance). • The market is worth billions of $ in cryptocurrencies. • A chance for new technologies (e.g. financial technology) • Easy decentralized banking, • No brokers (direct payments). • Big players: • Hyperledger (Linux Foundation, IBM, Intel, SAP), • Libra (Facebook).
www.securing.pldrdr_zz What is so special about Decentralized Apps? • Trustlessness: Use blockchain to store code and data (state). • No one can turn it off permanently (anyone can bring it to live). • Everyone can have it (like keeping the database of FB or Reddit locally).
www.securing.pldrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
www.securing.pldrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
www.securing.plwww.securing.pl Decentralized Apps ARE THOSE SECURE?
www.securing.pldrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
www.securing.pldrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
www.securing.pldrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still…. Expectations Reality
www.securing.plwww.securing.pl Web Apps vs Decentralized Apps WE NEED SECURITY!
www.securing.pldrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit?
www.securing.plwww.securing.pl SCSVS - Smart Contracts Security Verification Standard
www.securing.pldrdr_zz • Objectives: • Provide a checklist for architects, developers and security reviewers. • Help to mitigate known vulnerabilities by design. • Help to develop high quality code of the smart contracts. • Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. • Format similar to ASVS. SCSVS - Objectives
www.securing.pldrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
www.securing.pldrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
www.securing.pldrdr_zz • Approaches • OWASP SAMM • SDL (Security Development Lifecycle) • BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
www.securing.pldrdr_zz Similiarities • Threat modelling SDLC – Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
www.securing.pldrdr_zz Differences – Sensitive data SDLC – Analysis & Requirements Web Apps • Stored in protected database Decentralized Apps • Stored on public blockchain • Forever • Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
www.securing.pldrdr_zz Differences – Public access SDLC – Analysis & Requirements Web Apps • Allowed only to part of application • Frontend • API Decentralized Apps • Allowed to the whole application • Code is public • Functions are public by default
www.securing.pldrdr_zz Differences – Public access SDLC – Analysis & Requirements • Parity Wallet hack • 150k ETH stolen (~30kk $) • https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified.
www.securing.pldrdr_zz Differences – Randomness SDLC – Analysis & Requirements Web Apps • A matter of a function call Decentralized Apps • Not trivially achieved in the decentralized computer • No local parameters can be used
www.securing.pldrdr_zz Differences – Randomness SDLC – Analysis & Requirements • EOSPlay hack • 30k EOS stolen (~100k USD) • SmartBillions Lottery hack • 400 ETH stolen (~80k USD) • https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
www.securing.pldrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Miners/Validators • Validate transactions and add new blocks
www.securing.pldrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Augur vulnerability • DoS on smart contract • Business logic abuse by miner • 5k $ bounty https://hackerone.com/reports/377398
www.securing.pldrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Design SDLC
www.securing.pldrdr_zz Similiarities • Least privilege rule • Access control • Public and known to everyone • Centralized and simple SDLC – Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
www.securing.pldrdr_zz Differences – Loops SDLC – Design Web Apps • Infinite loops -> DoS Decentralized Apps • Unbound loops -> DoS
www.securing.pldrdr_zz Differences – Loops SDLC – Design • GovernMentals • A ponzi scheme • Iteration over a huge array • 1100 ETH frozen (~220k USD) • https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
www.securing.pldrdr_zz Decreasing the risk SDLC – Design • Decentralized Applications keep cryptocurrencies • The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Implementation SDLC
www.securing.pldrdr_zz • Great tools • Perform basic security analysis • But we still make bugs. • Sounds familiar? ☺ SDLC – Implementation
www.securing.pldrdr_zz Similarities – Arithmetic bugs SDLC – Implementation Web Apps • Not that common Decentralized Apps • Overflows and underflows
www.securing.pldrdr_zz Similarities – Arithmetic bugs SDLC – Implementation • Multiple ERC20 Smart Contracts • Allow to transfer more than decillions (10^60) of tokens • https://bit.ly/2lWa9ma • https://bit.ly/2ksNEF1
www.securing.pldrdr_zz Similarities – Arithmetic bugs SDLC – Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
www.securing.pldrdr_zz Differences – Recursive calls SDLC – Implementation Web Apps • Must be explicitly included in the logic Decentralized Apps • Executing some logic multiple times in one call
www.securing.pldrdr_zz Differences – Recursive calls SDLC – Implementation • The DAO hack • Recursive withdrawals • 3.6 mln ETH stolen • https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Testing SDLC
www.securing.pldrdr_zz Similarities – Great tools for automatic scans SDLC – Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
www.securing.pldrdr_zz Similiarities – Ensuring the testing takes place • including manual security tests SDLC – Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
www.securing.pldrdr_zz Similiarities – Business logic errors • Hard to find using automated scans • MakerDAO vulnerability • Allows to create DAI cryptocurrency without coverage • 25k $ bounty SDLC – Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Deployment SDLC
www.securing.pldrdr_zz Differences – Initialization stage SDLC – Deployment Web Apps • Setting up configurations and integrations • Performed once during deployment Decentralized Apps • Setting up configurations and integrations • What if one can (re-)initialize the contract?
www.securing.pldrdr_zz Differences – Initialization stage SDLC – Deployment • Parity Wallet hack (2nd): • Kill contract shared by hundreds of other contracts • 500k ETH frozen (~100kk USD) • https://bit.ly/2kIBYhA • https://bit.ly/2kpfKkm
www.securing.pldrdr_zz Differences – Initialization stage SDLC – Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Maintenance SDLC
www.securing.pldrdr_zz Similarities – Logs SDLC – Maintenance Web Apps • Kept safe on the server Decentralized Apps • Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
www.securing.pldrdr_zz Differences – Security Alert and Fix SDLC – Analysis & Requirements Web Apps • Application goes down • The bug is fixed (patch) • Application redeployed Decentralized Apps • Smart contract goes down • The bug is fixed (patch) • Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
www.securing.pldrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit? SCSVS
www.securing.pldrdr_zz V13: Known attacks SCSVS – The special category • Quick check for well known attacks 13.4 Verify that the contract is not vulnerable to Silent Failing Sends and Unchecked-Send attacks. [4.6] Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked. [4.7] Verify that the third party contracts do not shadow special functions (e.g. revert). 13.2 Verify that the contract is not vulnerable to Reentrancy attack. [4.5] Verify that the re-entrancy attack is mitigated by blocking recursive calls from the other contracts. Do not use call and send functions unless it is a must.
www.securing.pldrdr_zz SCSVS – Future plans • SCSVS is going open-source • Published on GitHub in a few days (October 1st). • Sign up to be informed. • https://bit.ly/2lXiRR9 • OWASP SCSVS?
www.securing.pl Thank you! Damian.Rusinek@securing.pl @drdr_zz or leave me your card! Sign up to be informed about SCSVS: Want a security audit of smart contract? Go for SCSVS!

Recommandé

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityJohnson, Chuan Zhang CISM CCSK OSCP
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Security Model of Blockchain
Security Model of BlockchainSecurity Model of Blockchain
Security Model of Blockchainsaficus
 
Global Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupGlobal Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupMaeva Ghonda
 

Recommandé

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityJohnson, Chuan Zhang CISM CCSK OSCP
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Security Model of Blockchain
Security Model of BlockchainSecurity Model of Blockchain
Security Model of Blockchainsaficus
 
Global Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupGlobal Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupMaeva Ghonda
 
Introduction to Blockchain Governance Models
Introduction to Blockchain Governance ModelsIntroduction to Blockchain Governance Models
Introduction to Blockchain Governance ModelsGokul Alex
 
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...Edureka!
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
The Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityThe Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityKevin Cedeño, CISM, CISA
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureJean-Phi N✅
 
Hashgraph as Code
Hashgraph as CodeHashgraph as Code
Hashgraph as CodeCalvin Cheng
 
Webinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoWebinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoKaleido
 
create your own cryptocurrency
create your own cryptocurrencycreate your own cryptocurrency
create your own cryptocurrencyBellaj Badr
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Gokul Alex
 
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeHyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeSSIMeetup
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Arnaud Le Hors
 
Blockchains and the IoT
Blockchains and the IoTBlockchains and the IoT
Blockchains and the IoTMongoDB
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply Chain
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply ChainSensors, Identifiers & Digital Twins: Tracking Identity on the Supply Chain
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply ChainHeather Vescent
 
Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerGokul Alex
 
Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges Merlec Mpyana
 
Hyperledger Fabric in a Nutshell
Hyperledger Fabric in a NutshellHyperledger Fabric in a Nutshell
Hyperledger Fabric in a NutshellDaniel Chan
 
Blockchian introduction
Blockchian introductionBlockchian introduction
Blockchian introductionkesavan N B
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 

Contenu connexe

Tendances

Introduction to Blockchain Governance Models
Introduction to Blockchain Governance ModelsIntroduction to Blockchain Governance Models
Introduction to Blockchain Governance ModelsGokul Alex
 
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...Edureka!
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
The Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityThe Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityKevin Cedeño, CISM, CISA
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureJean-Phi N✅
 
Webinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoWebinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoKaleido
 
create your own cryptocurrency
create your own cryptocurrencycreate your own cryptocurrency
create your own cryptocurrencyBellaj Badr
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Gokul Alex
 
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeHyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeSSIMeetup
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Arnaud Le Hors
 
Blockchains and the IoT
Blockchains and the IoTBlockchains and the IoT
Blockchains and the IoTMongoDB
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply Chain
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply ChainSensors, Identifiers & Digital Twins: Tracking Identity on the Supply Chain
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply ChainHeather Vescent
 
Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerGokul Alex
 
Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges Merlec Mpyana
 
Hyperledger Fabric in a Nutshell
Hyperledger Fabric in a NutshellHyperledger Fabric in a Nutshell
Hyperledger Fabric in a NutshellDaniel Chan
 
Blockchian introduction
Blockchian introductionBlockchian introduction
Blockchian introductionkesavan N B
 

Tendances (20)

Introduction to Blockchain Governance Models
Introduction to Blockchain Governance ModelsIntroduction to Blockchain Governance Models
Introduction to Blockchain Governance Models
 
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat Model
 
The Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityThe Blockchain and the Future of Cybersecurity
The Blockchain and the Future of Cybersecurity
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service Brochure
 
Hashgraph as Code
Hashgraph as CodeHashgraph as Code
Hashgraph as Code
 
Webinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoWebinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
 
create your own cryptocurrency
create your own cryptocurrencycreate your own cryptocurrency
create your own cryptocurrency
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
 
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeHyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internet
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508
 
Blockchains and the IoT
Blockchains and the IoTBlockchains and the IoT
Blockchains and the IoT
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBM
 
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply Chain
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply ChainSensors, Identifiers & Digital Twins: Tracking Identity on the Supply Chain
Sensors, Identifiers & Digital Twins: Tracking Identity on the Supply Chain
 
Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A Primer
 
Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges
 
Hyperledger Fabric in a Nutshell
Hyperledger Fabric in a NutshellHyperledger Fabric in a Nutshell
Hyperledger Fabric in a Nutshell
 
Blockchian introduction
Blockchian introductionBlockchian introduction
Blockchian introduction
 

Similaire à Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Capital Numbers
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Machine learning presentation in using pyhton
Machine learning presentation in using pyhtonMachine learning presentation in using pyhton
Machine learning presentation in using pyhtonmasukmia.com
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainAhmed Banafa
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
10 Essentials on Blockchain Development: From Basics to Ethics
10 Essentials on Blockchain Development: From Basics to Ethics10 Essentials on Blockchain Development: From Basics to Ethics
10 Essentials on Blockchain Development: From Basics to EthicsSteve Hodgkiss
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfMobiloitte Technologies
 
#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...
#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...
#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...Agile Testing Alliance
 
Decentralized applications 101: How and why to build a DApp
Decentralized applications 101: How and why to build a DAppDecentralized applications 101: How and why to build a DApp
Decentralized applications 101: How and why to build a DAppErik Trautman
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Cryotocurrency & blockchain
Cryotocurrency & blockchainCryotocurrency & blockchain
Cryotocurrency & blockchainAmr Salah
 
Introduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsIntroduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsSaad Zaher
 
TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...
TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...
TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...Guduru Lakshmi Kiranmai
 
DLT analytics and AI workshop 13 march 2019
DLT analytics and AI workshop 13 march 2019DLT analytics and AI workshop 13 march 2019
DLT analytics and AI workshop 13 march 2019Stavros Zervoudakis
 
Blockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and ApplicationsBlockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and ApplicationsIngo Weber
 

Similaire à Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards (20)

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Machine learning presentation in using pyhton
Machine learning presentation in using pyhtonMachine learning presentation in using pyhton
Machine learning presentation in using pyhton
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : Blockchain
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
10 Essentials on Blockchain Development: From Basics to Ethics
10 Essentials on Blockchain Development: From Basics to Ethics10 Essentials on Blockchain Development: From Basics to Ethics
10 Essentials on Blockchain Development: From Basics to Ethics
 
Block chain technology
Block chain technology Block chain technology
Block chain technology
 
Block chain technology
Block chain technologyBlock chain technology
Block chain technology
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
 
#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...
#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...
#Interactive Session by Saby Saurabh Bhardwaj, "Redefine Quality Assurance –...
 
Decentralized applications 101: How and why to build a DApp
Decentralized applications 101: How and why to build a DAppDecentralized applications 101: How and why to build a DApp
Decentralized applications 101: How and why to build a DApp
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Cryotocurrency & blockchain
Cryotocurrency & blockchainCryotocurrency & blockchain
Cryotocurrency & blockchain
 
Introduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsIntroduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart Contracts
 
TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...
TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...
TO DEVELOP A DECENTRALIZED APPLICATION TO DEMONSTRATE THE USAGE OF CRYPTOCURR...
 
DLT analytics and AI workshop 13 march 2019
DLT analytics and AI workshop 13 march 2019DLT analytics and AI workshop 13 march 2019
DLT analytics and AI workshop 13 march 2019
 
Blockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and ApplicationsBlockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and Applications
 
Blockchain Development Services
Blockchain Development ServicesBlockchain Development Services
Blockchain Development Services
 

Plus de SecuRing

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersSecuRing
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!SecuRing
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionSecuRing
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?SecuRing
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defenseSecuRing
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSSecuRing
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?SecuRing
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS appsSecuRing
 
Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?SecuRing
 

Plus de SecuRing (20)

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOS
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS apps
 
Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?
 

Dernier

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 

Dernier (20)

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 

Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards

  • 1. www.securing.pl Damian Rusinek Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards OWASP AppSec Global Amsterdam 2019 26th of September 2019
  • 2. www.securing.pldrdr_zz Damian Rusinek @drdr_zz damianrusinek @ github • Pentester • Researcher • Focused on blockchain and smart contracts Security Researcher & Pentester Assistant Professor Introducing Decentralized Applications by analogy to Web Apps https://bit.ly/2kpfKkm Last year on AppSec EU London
  • 3. www.securing.pldrdr_zz Web 3.0 They are using Decentralized Applications or Platforms
  • 4. www.securing.plwww.securing.pl Decentralized Apps And why are they becoming important? WHAT IS IT?
  • 5. www.securing.pldrdr_zz What are Decentralized Applications? • Decentralized Application are like Web Applications with decentralized storage and governance. • Web Apps • Facebook • Reddit • Decentralized Apps • Steemit (a kind of decentralized Reddit)
  • 6. www.securing.pldrdr_zz Why are Decentralized Applications important? • There exist great projects already: • Augur (decentralized oracle and prediction market), • Gnosis (prediction platform), • MakerDAO (decentralized finance). • The market is worth billions of $ in cryptocurrencies. • A chance for new technologies (e.g. financial technology) • Easy decentralized banking, • No brokers (direct payments). • Big players: • Hyperledger (Linux Foundation, IBM, Intel, SAP), • Libra (Facebook).
  • 7. www.securing.pldrdr_zz What is so special about Decentralized Apps? • Trustlessness: Use blockchain to store code and data (state). • No one can turn it off permanently (anyone can bring it to live). • Everyone can have it (like keeping the database of FB or Reddit locally).
  • 8. www.securing.pldrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
  • 9. www.securing.pldrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
  • 11. www.securing.pldrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
  • 12. www.securing.pldrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
  • 13. www.securing.pldrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still…. Expectations Reality
  • 14. www.securing.plwww.securing.pl Web Apps vs Decentralized Apps WE NEED SECURITY!
  • 15. www.securing.pldrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit?
  • 17. www.securing.pldrdr_zz • Objectives: • Provide a checklist for architects, developers and security reviewers. • Help to mitigate known vulnerabilities by design. • Help to develop high quality code of the smart contracts. • Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. • Format similar to ASVS. SCSVS - Objectives
  • 18. www.securing.pldrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
  • 19. www.securing.pldrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
  • 20. www.securing.pldrdr_zz • Approaches • OWASP SAMM • SDL (Security Development Lifecycle) • BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
  • 21. www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
  • 22. www.securing.pldrdr_zz Similiarities • Threat modelling SDLC – Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
  • 23. www.securing.pldrdr_zz Differences – Sensitive data SDLC – Analysis & Requirements Web Apps • Stored in protected database Decentralized Apps • Stored on public blockchain • Forever • Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
  • 24. www.securing.pldrdr_zz Differences – Public access SDLC – Analysis & Requirements Web Apps • Allowed only to part of application • Frontend • API Decentralized Apps • Allowed to the whole application • Code is public • Functions are public by default
  • 25. www.securing.pldrdr_zz Differences – Public access SDLC – Analysis & Requirements • Parity Wallet hack • 150k ETH stolen (~30kk $) • https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified.
  • 26. www.securing.pldrdr_zz Differences – Randomness SDLC – Analysis & Requirements Web Apps • A matter of a function call Decentralized Apps • Not trivially achieved in the decentralized computer • No local parameters can be used
  • 27. www.securing.pldrdr_zz Differences – Randomness SDLC – Analysis & Requirements • EOSPlay hack • 30k EOS stolen (~100k USD) • SmartBillions Lottery hack • 400 ETH stolen (~80k USD) • https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
  • 28. www.securing.pldrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Miners/Validators • Validate transactions and add new blocks
  • 29. www.securing.pldrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Augur vulnerability • DoS on smart contract • Business logic abuse by miner • 5k $ bounty https://hackerone.com/reports/377398
  • 30. www.securing.pldrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
  • 31. www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Design SDLC
  • 32. www.securing.pldrdr_zz Similiarities • Least privilege rule • Access control • Public and known to everyone • Centralized and simple SDLC – Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
  • 33. www.securing.pldrdr_zz Differences – Loops SDLC – Design Web Apps • Infinite loops -> DoS Decentralized Apps • Unbound loops -> DoS
  • 34. www.securing.pldrdr_zz Differences – Loops SDLC – Design • GovernMentals • A ponzi scheme • Iteration over a huge array • 1100 ETH frozen (~220k USD) • https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
  • 35. www.securing.pldrdr_zz Decreasing the risk SDLC – Design • Decentralized Applications keep cryptocurrencies • The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
  • 36. www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Implementation SDLC
  • 37. www.securing.pldrdr_zz • Great tools • Perform basic security analysis • But we still make bugs. • Sounds familiar? ☺ SDLC – Implementation
  • 38. www.securing.pldrdr_zz Similarities – Arithmetic bugs SDLC – Implementation Web Apps • Not that common Decentralized Apps • Overflows and underflows
  • 39. www.securing.pldrdr_zz Similarities – Arithmetic bugs SDLC – Implementation • Multiple ERC20 Smart Contracts • Allow to transfer more than decillions (10^60) of tokens • https://bit.ly/2lWa9ma • https://bit.ly/2ksNEF1
  • 40. www.securing.pldrdr_zz Similarities – Arithmetic bugs SDLC – Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
  • 41. www.securing.pldrdr_zz Differences – Recursive calls SDLC – Implementation Web Apps • Must be explicitly included in the logic Decentralized Apps • Executing some logic multiple times in one call
  • 42. www.securing.pldrdr_zz Differences – Recursive calls SDLC – Implementation • The DAO hack • Recursive withdrawals • 3.6 mln ETH stolen • https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
  • 43. www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Testing SDLC
  • 44. www.securing.pldrdr_zz Similarities – Great tools for automatic scans SDLC – Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
  • 45. www.securing.pldrdr_zz Similiarities – Ensuring the testing takes place • including manual security tests SDLC – Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
  • 46. www.securing.pldrdr_zz Similiarities – Business logic errors • Hard to find using automated scans • MakerDAO vulnerability • Allows to create DAI cryptocurrency without coverage • 25k $ bounty SDLC – Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
  • 47. www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Deployment SDLC
  • 48. www.securing.pldrdr_zz Differences – Initialization stage SDLC – Deployment Web Apps • Setting up configurations and integrations • Performed once during deployment Decentralized Apps • Setting up configurations and integrations • What if one can (re-)initialize the contract?
  • 49. www.securing.pldrdr_zz Differences – Initialization stage SDLC – Deployment • Parity Wallet hack (2nd): • Kill contract shared by hundreds of other contracts • 500k ETH frozen (~100kk USD) • https://bit.ly/2kIBYhA • https://bit.ly/2kpfKkm
  • 50. www.securing.pldrdr_zz Differences – Initialization stage SDLC – Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
  • 51. www.securing.plwww.securing.pl Web Apps vs Decentralized Apps - Maintenance SDLC
  • 52. www.securing.pldrdr_zz Similarities – Logs SDLC – Maintenance Web Apps • Kept safe on the server Decentralized Apps • Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
  • 53. www.securing.pldrdr_zz Differences – Security Alert and Fix SDLC – Analysis & Requirements Web Apps • Application goes down • The bug is fixed (patch) • Application redeployed Decentralized Apps • Smart contract goes down • The bug is fixed (patch) • Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
  • 54. www.securing.pldrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit? SCSVS
  • 55. www.securing.pldrdr_zz V13: Known attacks SCSVS – The special category • Quick check for well known attacks 13.4 Verify that the contract is not vulnerable to Silent Failing Sends and Unchecked-Send attacks. [4.6] Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked. [4.7] Verify that the third party contracts do not shadow special functions (e.g. revert). 13.2 Verify that the contract is not vulnerable to Reentrancy attack. [4.5] Verify that the re-entrancy attack is mitigated by blocking recursive calls from the other contracts. Do not use call and send functions unless it is a must.
  • 56. www.securing.pldrdr_zz SCSVS – Future plans • SCSVS is going open-source • Published on GitHub in a few days (October 1st). • Sign up to be informed. • https://bit.ly/2lXiRR9 • OWASP SCSVS?
  • 57. www.securing.pl Thank you! Damian.Rusinek@securing.pl @drdr_zz or leave me your card! Sign up to be informed about SCSVS: Want a security audit of smart contract? Go for SCSVS!