SlideShare a Scribd company logo

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

SecuRing
SecuRing

The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.

Services
1 of 54
Download to read offline
www.securing.pldrdr_zz Damian Rusinek WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards Ethereum Community Conference 5th March 2020
www.securing.pldrdr_zzdrdr_zz Damian Rusinek damianrusinek @ github • Senior Security Consultant • Researcher (blockchain and smart contracts) Senior Security Consultant Security Researcher Assistant Professor Introducing Decentralized Applications by analogy to Web Apps drdr_zz Outsmarting Smart Contracts
www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps And why are they becoming important? WHAT IS IT?
www.securing.pldrdr_zzdrdr_zz What are Decentralized Applications? • Decentralized Application are like Web Applications with decentralized storage and governance. • Web Apps • Facebook • Reddit • Decentralized Apps • Steemit (a kind of decentralized Reddit)
www.securing.pldrdr_zzdrdr_zz Why are Decentralized Applications important? • The market is worth billions of $ in cryptocurrencies. • A chance for newcomers (e.g. fin-techs) • Decentralized finance, • No brokers (direct payments). • There exist great projects: • Augur (decentralized oracle and prediction market), • Gnosis (prediction platform), • MakerDAO (decentralized finance). • Big players: • Hyperledger (Linux Foundation, IBM, Intel, SAP), • Libra (Facebook).
www.securing.pldrdr_zzdrdr_zz What is so special about Decentralized Apps? • Trustlessness: Use blockchain to store code and data (state). • No one can turn it off permanently (anyone can bring it to live). • Everyone can have it (like keeping the database of FB or Reddit locally).
www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps ARE THOSE SECURE?
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Indestructible: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still…. Expectations Reality
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps WE NEED SECURITY!
www.securing.pldrdr_zzdrdr_zz Security needs Technical • Build secure applications. • Omit the insecure patterns. • Find ane remediate the security bugs (vulnerabilities). Business • Make sure that the application is secure. • The status: List of green and red points.
www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit?
www.securing.pldrdr_zz www.securing.pldrdr_zz SCSVS - Smart Contracts Security Verification Standard drdr_zz wh01s7
www.securing.pldrdr_zzdrdr_zz • Objectives: • A checklist for architects, developers and security reviewers. • Technical needs • Help to mitigate known vulnerabilities by design. • Help to develop high quality code of the smart contracts. • Business needs • Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. • 13 categories of security requirements. • Format similar to ASVS. SCSVS - Objectives
www.securing.pldrdr_zzdrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
www.securing.pldrdr_zzdrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
www.securing.pldrdr_zzdrdr_zz • Approaches • OWASP SAMM • SDL (Security Development Lifecycle) • BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
www.securing.pldrdr_zzdrdr_zz Similiarities • Threat modelling SDLC – Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
www.securing.pldrdr_zzdrdr_zz Differences – Sensitive data SDLC – Analysis & Requirements Web Apps • Stored in protected database Decentralized Apps • Stored on public blockchain • Forever • Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements Web Apps • Allowed only to part of application • Frontend • API Decentralized Apps • Allowed to the whole application • Code is public • Functions are public by default
www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements • Parity Wallet hack • 150k ETH stolen (~30kk $) • https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified. (Solidity: deprecated since 5.0)
www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements Web Apps • A matter of a function call Decentralized Apps • Not trivially achieved in the decentralized computer • No local parameters can be used
www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements • EOSPlay hack • 30k EOS stolen (~120k USD) • SmartBillions Lottery hack • 400 ETH stolen (~100k USD) • https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Augur vulnerability • DoS on smart contract • Business logic abuse by miner • 5k $ bounty https://hackerone.com/reports/377398
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Design SDLC
www.securing.pldrdr_zzdrdr_zz Similiarities • Least privilege rule • Access control • Public and known to everyone • Centralized and simple SDLC – Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design Web Apps • Infinite loops -> DoS Decentralized Apps • Unbound loops -> DoS
www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design • GovernMentals • A ponzi scheme • Iteration over a huge array • 1100 ETH frozen (~280k USD) • https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
www.securing.pldrdr_zzdrdr_zz Decreasing the risk SDLC – Design • Decentralized Applications keep cryptocurrencies • The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Implementation SDLC
www.securing.pldrdr_zzdrdr_zz • Great tools • Perform basic security analysis • But we still make bugs. • Sounds familiar? ☺ SDLC – Implementation Ethereum Studio
www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation Web Apps • Not that common Decentralized Apps • Overflows and underflows
www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation • Multiple ERC20 Smart Contracts • Allow to transfer more than decillions (10^60) of tokens • https://bit.ly/2lWa9ma • https://bit.ly/2ksNEF1
www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
www.securing.pldrdr_zzdrdr_zz Differences – Recursive calls SDLC – Implementation Web Apps • Must be explicitly included in the logic Decentralized Apps • Executing some logic multiple times in one call • The DAO hack • Recursive withdrawals • 3.6 mln ETH stolen (~1 bln USD) • https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Testing SDLC
www.securing.pldrdr_zzdrdr_zz Similarities – Great tools for automatic scans SDLC – Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
www.securing.pldrdr_zzdrdr_zz Similiarities – Ensuring the testing takes place • including manual security tests SDLC – Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
www.securing.pldrdr_zzdrdr_zz Similiarities – Business logic errors • Hard to find using automated scans • MakerDAO vulnerability • Allows to create DAI cryptocurrency without coverage • 25k $ bounty SDLC – Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Deployment SDLC
www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment Web Apps • Setting up configurations and integrations • Performed once during deployment Decentralized Apps • Setting up configurations and integrations • What if one can (re-)initialize the contract?
www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment • Parity Wallet hack: • Kill contract shared by hundreds of other contracts • 500k ETH frozen (~130 mln USD) • https://bit.ly/2kIBYhA • https://bit.ly/2kpfKkm
www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Maintenance SDLC
www.securing.pldrdr_zzdrdr_zz Similarities – Logs SDLC – Maintenance Web Apps • Kept safe on the server Decentralized Apps • Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
www.securing.pldrdr_zzdrdr_zz Differences – Security Alert and Fix SDLC – Analysis & Requirements Web Apps • Application goes down • The bug is fixed (patch) • Application redeployed Decentralized Apps • Smart contract goes down • The bug is fixed (patch) • Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit? SCSVS
www.securing.pldrdr_zzdrdr_zz SCSVS meets your security needs Technical • Build secure applications. • Omit the insecure patterns. • Find ane remediate the security bugs (vulnerabilities). Business • Make sure that the application is secure. • The status: List of green and red points. Want to develop secure smart contracts? Want a security audit of smart contract? Go for SCSVS!
www.securing.pldrdr_zz Ok, Thank you! Damian.Rusinek@securing.pl Smart Contract Security Checklist Ready-to-use spreadsheets! drdr_zz

Recommended

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS appsSecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 

Recommended

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS appsSecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptbarysteyn
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 

More Related Content

What's hot

Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptbarysteyn
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 

What's hot (20)

Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScript
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 

Similar to WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...PROIDEA
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas North Texas Chapter of the ISSA
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Capital Numbers
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
The Top Five Security Threats to Hyperledger Fabric & How to Mitigate Them
The Top Five Security Threats to Hyperledger Fabric & How to Mitigate ThemThe Top Five Security Threats to Hyperledger Fabric & How to Mitigate Them
The Top Five Security Threats to Hyperledger Fabric & How to Mitigate ThemCapital Numbers
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance WebinarGrafic.guru
 
Algorand Educate: Intro to Algorand
Algorand Educate: Intro to AlgorandAlgorand Educate: Intro to Algorand
Algorand Educate: Intro to AlgorandTinaBregovi
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudZscaler
 
Software Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefSoftware Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefZivaro Inc
 
Introduction to Blockchain and Decentralized Apps
Introduction to Blockchain and Decentralized AppsIntroduction to Blockchain and Decentralized Apps
Introduction to Blockchain and Decentralized AppsCisco DevNet
 
SD-WAN plus cloud security
SD-WAN plus cloud securitySD-WAN plus cloud security
SD-WAN plus cloud securityZscaler
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
The evolution of IT in a cloud world
The evolution of IT in a cloud worldThe evolution of IT in a cloud world
The evolution of IT in a cloud worldZscaler
 

Similar to WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards (20)

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
The Top Five Security Threats to Hyperledger Fabric & How to Mitigate Them
The Top Five Security Threats to Hyperledger Fabric & How to Mitigate ThemThe Top Five Security Threats to Hyperledger Fabric & How to Mitigate Them
The Top Five Security Threats to Hyperledger Fabric & How to Mitigate Them
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance Webinar
 
Algorand Educate: Intro to Algorand
Algorand Educate: Intro to AlgorandAlgorand Educate: Intro to Algorand
Algorand Educate: Intro to Algorand
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the Cloud
 
Software Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefSoftware Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology Brief
 
Introduction to Blockchain and Decentralized Apps
Introduction to Blockchain and Decentralized AppsIntroduction to Blockchain and Decentralized Apps
Introduction to Blockchain and Decentralized Apps
 
SD-WAN plus cloud security
SD-WAN plus cloud securitySD-WAN plus cloud security
SD-WAN plus cloud security
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
The evolution of IT in a cloud world
The evolution of IT in a cloud worldThe evolution of IT in a cloud world
The evolution of IT in a cloud world
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go Wrong
 

More from SecuRing

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersSecuRing
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!SecuRing
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionSecuRing
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?SecuRing
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defenseSecuRing
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSSecuRing
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?SecuRing
 
Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?SecuRing
 
Testowanie bezpieczeństwa chmury na przykładzie AWS.
Testowanie bezpieczeństwa chmury na przykładzie AWS.Testowanie bezpieczeństwa chmury na przykładzie AWS.
Testowanie bezpieczeństwa chmury na przykładzie AWS.SecuRing
 
Internet banking applications' security
Internet banking applications' securityInternet banking applications' security
Internet banking applications' securitySecuRing
 
Jailbreak - dylematy hazardzisty w pentestach aplikacji iOS
Jailbreak - dylematy hazardzisty w pentestach aplikacji iOSJailbreak - dylematy hazardzisty w pentestach aplikacji iOS
Jailbreak - dylematy hazardzisty w pentestach aplikacji iOSSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSecuRing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 

More from SecuRing (20)

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOS
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?
 
Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?
 
Testowanie bezpieczeństwa chmury na przykładzie AWS.
Testowanie bezpieczeństwa chmury na przykładzie AWS.Testowanie bezpieczeństwa chmury na przykładzie AWS.
Testowanie bezpieczeństwa chmury na przykładzie AWS.
 
Internet banking applications' security
Internet banking applications' securityInternet banking applications' security
Internet banking applications' security
 
Jailbreak - dylematy hazardzisty w pentestach aplikacji iOS
Jailbreak - dylematy hazardzisty w pentestach aplikacji iOSJailbreak - dylematy hazardzisty w pentestach aplikacji iOS
Jailbreak - dylematy hazardzisty w pentestach aplikacji iOS
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFC
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 

Recently uploaded

High Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts ServiceHigh Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts Servicetajaga2345
 
EDITAL DE PROCESSO SELETIVO 001-2024.pdf
EDITAL DE PROCESSO SELETIVO 001-2024.pdfEDITAL DE PROCESSO SELETIVO 001-2024.pdf
EDITAL DE PROCESSO SELETIVO 001-2024.pdfJessicaRosso2
 
Amil Baba In Pakistan Authentic Amil In pakistan Best Amil In Pak
Amil Baba In Pakistan Authentic Amil In pakistan Best Amil In PakAmil Baba In Pakistan Authentic Amil In pakistan Best Amil In Pak
Amil Baba In Pakistan Authentic Amil In pakistan Best Amil In Pakdilawarshahuk
 
cloudstudioアプローチ別営業資料202403_en (1) (2).pptx
cloudstudioアプローチ別営業資料202403_en (1) (2).pptxcloudstudioアプローチ別営業資料202403_en (1) (2).pptx
cloudstudioアプローチ別営業資料202403_en (1) (2).pptxcomworks
 
10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptx10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptxBoobalanBala12
 
kreativan technology is a best IT company
kreativan technology is a best IT companykreativan technology is a best IT company
kreativan technology is a best IT companyKreativan Technologies
 
Gateway to International Hospitality Internships for Students- Udaaan Managem...
Gateway to International Hospitality Internships for Students- Udaaan Managem...Gateway to International Hospitality Internships for Students- Udaaan Managem...
Gateway to International Hospitality Internships for Students- Udaaan Managem...digital190136
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration TestingBluechip Gulf IT Services
 
Protecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codesProtecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codesStartech Engineering
 
Challenges for Salesforce CRM Implementation
Challenges for Salesforce CRM ImplementationChallenges for Salesforce CRM Implementation
Challenges for Salesforce CRM ImplementationNaresh Gupta
 
Create a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineerCreate a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineerStartech Engineering
 
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts ServiceJustdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Servicesafdarjungdelhi1
 
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts ServiceCall Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Servicemonikaservice1
 
Online Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard YouOnline Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard Youaffordablebackgroundchecks
 
Essential Website Design Trends, April 2024.pptx
Essential Website Design Trends, April 2024.pptxEssential Website Design Trends, April 2024.pptx
Essential Website Design Trends, April 2024.pptxThe Digital Department
 
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARHKREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARHKreativan Technologies
 
Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...
Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...
Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...shubhamaapkikismat
 
Boost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in NoidaBoost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in NoidaWAFI Media Marketing Solutions
 

Recently uploaded (20)

High Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts ServiceHigh Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts Service
 
EDITAL DE PROCESSO SELETIVO 001-2024.pdf
EDITAL DE PROCESSO SELETIVO 001-2024.pdfEDITAL DE PROCESSO SELETIVO 001-2024.pdf
EDITAL DE PROCESSO SELETIVO 001-2024.pdf
 
Amil Baba In Pakistan Authentic Amil In pakistan Best Amil In Pak
Amil Baba In Pakistan Authentic Amil In pakistan Best Amil In PakAmil Baba In Pakistan Authentic Amil In pakistan Best Amil In Pak
Amil Baba In Pakistan Authentic Amil In pakistan Best Amil In Pak
 
cloudstudioアプローチ別営業資料202403_en (1) (2).pptx
cloudstudioアプローチ別営業資料202403_en (1) (2).pptxcloudstudioアプローチ別営業資料202403_en (1) (2).pptx
cloudstudioアプローチ別営業資料202403_en (1) (2).pptx
 
10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptx10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptx
 
kreativan technology is a best IT company
kreativan technology is a best IT companykreativan technology is a best IT company
kreativan technology is a best IT company
 
Gateway to International Hospitality Internships for Students- Udaaan Managem...
Gateway to International Hospitality Internships for Students- Udaaan Managem...Gateway to International Hospitality Internships for Students- Udaaan Managem...
Gateway to International Hospitality Internships for Students- Udaaan Managem...
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
 
Protecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codesProtecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codes
 
Challenges for Salesforce CRM Implementation
Challenges for Salesforce CRM ImplementationChallenges for Salesforce CRM Implementation
Challenges for Salesforce CRM Implementation
 
Search Engine optimization and its types
Search Engine optimization and its typesSearch Engine optimization and its types
Search Engine optimization and its types
 
Create a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineerCreate a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineer
 
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts ServiceJustdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
 
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts ServiceCall Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
 
Online Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard YouOnline Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard You
 
Essential Website Design Trends, April 2024.pptx
Essential Website Design Trends, April 2024.pptxEssential Website Design Trends, April 2024.pptx
Essential Website Design Trends, April 2024.pptx
 
How to Get into the NUS MBA Program? Explore
How to Get into the NUS MBA Program? ExploreHow to Get into the NUS MBA Program? Explore
How to Get into the NUS MBA Program? Explore
 
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARHKREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
 
Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...
Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...
Balancing Sexual Desires for a Happier Relationship_ An Astrological Perspect...
 
Boost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in NoidaBoost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in Noida
 

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

  • 1. www.securing.pldrdr_zz Damian Rusinek WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards Ethereum Community Conference 5th March 2020
  • 2. www.securing.pldrdr_zzdrdr_zz Damian Rusinek damianrusinek @ github • Senior Security Consultant • Researcher (blockchain and smart contracts) Senior Security Consultant Security Researcher Assistant Professor Introducing Decentralized Applications by analogy to Web Apps drdr_zz Outsmarting Smart Contracts
  • 3. www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps And why are they becoming important? WHAT IS IT?
  • 4. www.securing.pldrdr_zzdrdr_zz What are Decentralized Applications? • Decentralized Application are like Web Applications with decentralized storage and governance. • Web Apps • Facebook • Reddit • Decentralized Apps • Steemit (a kind of decentralized Reddit)
  • 5. www.securing.pldrdr_zzdrdr_zz Why are Decentralized Applications important? • The market is worth billions of $ in cryptocurrencies. • A chance for newcomers (e.g. fin-techs) • Decentralized finance, • No brokers (direct payments). • There exist great projects: • Augur (decentralized oracle and prediction market), • Gnosis (prediction platform), • MakerDAO (decentralized finance). • Big players: • Hyperledger (Linux Foundation, IBM, Intel, SAP), • Libra (Facebook).
  • 6. www.securing.pldrdr_zzdrdr_zz What is so special about Decentralized Apps? • Trustlessness: Use blockchain to store code and data (state). • No one can turn it off permanently (anyone can bring it to live). • Everyone can have it (like keeping the database of FB or Reddit locally).
  • 7. www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
  • 8. www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
  • 10. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Indestructible: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
  • 11. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
  • 12. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still…. Expectations Reality
  • 13. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps WE NEED SECURITY!
  • 14. www.securing.pldrdr_zzdrdr_zz Security needs Technical • Build secure applications. • Omit the insecure patterns. • Find ane remediate the security bugs (vulnerabilities). Business • Make sure that the application is secure. • The status: List of green and red points.
  • 15. www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit?
  • 16. www.securing.pldrdr_zz www.securing.pldrdr_zz SCSVS - Smart Contracts Security Verification Standard drdr_zz wh01s7
  • 17. www.securing.pldrdr_zzdrdr_zz • Objectives: • A checklist for architects, developers and security reviewers. • Technical needs • Help to mitigate known vulnerabilities by design. • Help to develop high quality code of the smart contracts. • Business needs • Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. • 13 categories of security requirements. • Format similar to ASVS. SCSVS - Objectives
  • 18. www.securing.pldrdr_zzdrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
  • 19. www.securing.pldrdr_zzdrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
  • 20. www.securing.pldrdr_zzdrdr_zz • Approaches • OWASP SAMM • SDL (Security Development Lifecycle) • BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
  • 21. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
  • 22. www.securing.pldrdr_zzdrdr_zz Similiarities • Threat modelling SDLC – Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
  • 23. www.securing.pldrdr_zzdrdr_zz Differences – Sensitive data SDLC – Analysis & Requirements Web Apps • Stored in protected database Decentralized Apps • Stored on public blockchain • Forever • Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
  • 24. www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements Web Apps • Allowed only to part of application • Frontend • API Decentralized Apps • Allowed to the whole application • Code is public • Functions are public by default
  • 25. www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements • Parity Wallet hack • 150k ETH stolen (~30kk $) • https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified. (Solidity: deprecated since 5.0)
  • 26. www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements Web Apps • A matter of a function call Decentralized Apps • Not trivially achieved in the decentralized computer • No local parameters can be used
  • 27. www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements • EOSPlay hack • 30k EOS stolen (~120k USD) • SmartBillions Lottery hack • 400 ETH stolen (~100k USD) • https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
  • 28. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Augur vulnerability • DoS on smart contract • Business logic abuse by miner • 5k $ bounty https://hackerone.com/reports/377398
  • 29. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
  • 30. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Design SDLC
  • 31. www.securing.pldrdr_zzdrdr_zz Similiarities • Least privilege rule • Access control • Public and known to everyone • Centralized and simple SDLC – Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
  • 32. www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design Web Apps • Infinite loops -> DoS Decentralized Apps • Unbound loops -> DoS
  • 33. www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design • GovernMentals • A ponzi scheme • Iteration over a huge array • 1100 ETH frozen (~280k USD) • https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
  • 34. www.securing.pldrdr_zzdrdr_zz Decreasing the risk SDLC – Design • Decentralized Applications keep cryptocurrencies • The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
  • 35. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Implementation SDLC
  • 36. www.securing.pldrdr_zzdrdr_zz • Great tools • Perform basic security analysis • But we still make bugs. • Sounds familiar? ☺ SDLC – Implementation Ethereum Studio
  • 37. www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation Web Apps • Not that common Decentralized Apps • Overflows and underflows
  • 38. www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation • Multiple ERC20 Smart Contracts • Allow to transfer more than decillions (10^60) of tokens • https://bit.ly/2lWa9ma • https://bit.ly/2ksNEF1
  • 39. www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
  • 40. www.securing.pldrdr_zzdrdr_zz Differences – Recursive calls SDLC – Implementation Web Apps • Must be explicitly included in the logic Decentralized Apps • Executing some logic multiple times in one call • The DAO hack • Recursive withdrawals • 3.6 mln ETH stolen (~1 bln USD) • https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
  • 41. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Testing SDLC
  • 42. www.securing.pldrdr_zzdrdr_zz Similarities – Great tools for automatic scans SDLC – Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
  • 43. www.securing.pldrdr_zzdrdr_zz Similiarities – Ensuring the testing takes place • including manual security tests SDLC – Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
  • 44. www.securing.pldrdr_zzdrdr_zz Similiarities – Business logic errors • Hard to find using automated scans • MakerDAO vulnerability • Allows to create DAI cryptocurrency without coverage • 25k $ bounty SDLC – Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
  • 45. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Deployment SDLC
  • 46. www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment Web Apps • Setting up configurations and integrations • Performed once during deployment Decentralized Apps • Setting up configurations and integrations • What if one can (re-)initialize the contract?
  • 47. www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment • Parity Wallet hack: • Kill contract shared by hundreds of other contracts • 500k ETH frozen (~130 mln USD) • https://bit.ly/2kIBYhA • https://bit.ly/2kpfKkm
  • 48. www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
  • 49. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Maintenance SDLC
  • 50. www.securing.pldrdr_zzdrdr_zz Similarities – Logs SDLC – Maintenance Web Apps • Kept safe on the server Decentralized Apps • Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
  • 51. www.securing.pldrdr_zzdrdr_zz Differences – Security Alert and Fix SDLC – Analysis & Requirements Web Apps • Application goes down • The bug is fixed (patch) • Application redeployed Decentralized Apps • Smart contract goes down • The bug is fixed (patch) • Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
  • 52. www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit? SCSVS
  • 53. www.securing.pldrdr_zzdrdr_zz SCSVS meets your security needs Technical • Build secure applications. • Omit the insecure patterns. • Find ane remediate the security bugs (vulnerabilities). Business • Make sure that the application is secure. • The status: List of green and red points. Want to develop secure smart contracts? Want a security audit of smart contract? Go for SCSVS!
  • 54. www.securing.pldrdr_zz Ok, Thank you! Damian.Rusinek@securing.pl Smart Contract Security Checklist Ready-to-use spreadsheets! drdr_zz