TRAVIS BIEHN, TECHNICAL
STRATEGIST – RESEARCH LEAD AT SYNOPSYS
?
ecurity leaders
S need not dig deep to find excitement about enterprise Blockchain adoption in their organisations. It is often harder to untangle the motivations and value propositions of these technologies and the impact they will have on the systems of tomorrow. Like cloud before it, security leaders have initially taken a dim view of this space. Aside from academic work focusing on niche, yet important, parts of the technology, the industry still lacks comprehensive and fundamental frameworks that help to confront the new security challenges organisations face.
In our work at Synopsys, we have witnessed Blockchain technology evolve and fragment over the years. We have been commercially engaged with Blockchain technology since 2015. In the first half of 2018, we performed over 3,000 hours of threat modelling systems built around enterprise Blockchain platforms and even more in source code review and dynamic testing. Through such experience, I can report that the most crucial gaps in understanding the impact of Blockchain technology occur in four key areas:
Whole system
• Shared custody and operation – a component lifecycle that depends on cooperation with competitors
• Distributed systems engineering – a rare skill that is essential for risk analyses of all types
Software design
• Identity – throughout Blockchain components and requires mapping to higher-level systems. A common source of deep design security flaws
• Development libraries – absent, every team must develop from scratch and that means missing or rolling their own security controls. editor’ s question
Authentication and authorisation are difficult and controls both in smart contracts and in upstream systems must be created
Data management
• Compliance with regulation and understanding how to thoughtfully minimise actual private data while still gaining the benefit of Blockchain components
Platforms
• Resources – use, metering and audits. These capabilities are not easily accomplished with new platforms
• New execution environments and( sometimes) languages – often pose challenges to tools and people
It is important to note that while decisions made close to Blockchain components have critical fault, they only make up a small fraction of issues. More importantly, architects and developers can make incorrect assumptions about properties provided by these platforms and those mistakes often lead to a large majority of exploitable issues.
The most widely used platforms are often difficult to configure and dangerous to expose to untrusted components. Businesses do not have their heads in the sand when it comes to this risk. They are taking a cautious approach to evaluation. It is during this period that security leaders should collaborate with system stakeholders, architects, developers, business leaders and operators. The goal of collaboration is to refine the security properties of the systems, develop processes for managing platform secrets and component lifecycles, and mature these capabilities of evaluation, prevention, detection and response over time.
Businesses rely on a broader ecosystem of tool and service vendors. With precious little expertise and accurate perspective in the market, I recommend inviting your vendors to the table to help them understand what your business is doing with the technology so they can be ready with solutions when you need them. www. intelligentciso. com | Issue 05
29