Let's face it, in the last few years there has been a lot of clamor on the blockchain. Nowadays, however, there are signs that we may be about to move from the "blockchain" segment to solve all your problems "of the hype cycle in the" blockchain "segment could be useful for some targeted applications".
Yes, utility-based Darwinism is at work, where we are beginning to see the most bizarre and improbable proposal of falling business blockchains, and only the places where it adds value really continue to thrive. Change will take time, of course, but eventually the use of blockchain in the company will continue to mature.
In practice, however, there is a subset of security professionals who in the meantime have a very specific problem: in particular, how do they validate the security model of a corporate blockchain application for their environment? This can be a nice challenge.
After all, a detailed understanding of the mechanics of the blockchain operation requires the understanding of concepts that professionals might not be familiar with the door, while an analysis of potential threats requires the understanding of new attacks and threats outside what professionals normally encounter.
Likewise, the wider business impacts require a thorough understanding of the business itself to see how the blockchain will change operations.
No validation standards
To see what I mean, consider something like a 51% attack. For a blockchain application such as a cryptocurrency, this refers to a situation in which opponents are able to temporarily or permanently control most of the computing power, and then manipulate the data stored on the blockchain as they see fit. (Holders of Ethereum Classic are
right now he is becoming intimately familiar with this situation).
Unless your organization's security personnel have staff who are familiar with cryptocurrencies, personal interest or overdue speculation, this type of attack is probably not familiar to the security team. That said, depending on the usage specifications, this may be something the implementation team needs to think about.
The answer for this, of course, is standardization. However, even if there is no lack of proprietary methodologies to help organizations obtain guarantees on blockchain implementations, company use is still early enough to have no evaluation standards or de facto validation.
In the meantime, therefore, it is up to professionals to develop strategies for assessing blockchain alignments – both to integrate the methods employed by specialists who could commit themselves or to be alone if they do not have sufficient resources to engage such specialists.
Taking these needs into account, they follow some techniques that can be adapted to the assessment and validation of the security models in use for corporate blockchain implementations. It goes without saying that details on how to apply these techniques to your specific situation will vary depending on the type of planned use, safety requirements, where and how you will use the blockchain, etc.
That said, the following techniques will almost always add a generic value, regardless of specific circumstances, and are flexible enough to allow adaptation to your specific implementation.
Technique 1: modeling of application threats
The first technique of the kind we will talk about is
modeling of application threats. For those unfamiliar with it, modeling of application threats is the process of systematically deconstructing an application in its component parts in order to view such components from an attacker's point of view.
It is a widely used technique in the security circles of applications and software. It offers tremendous value in validating application design and selecting appropriate countermeasures to reinforce points where application might be less resistant to attack. It can provide value to blockchain applications in the same way that it can deliver value to applications in a more general way.
A complete description of how to run a threat model for a particular application would be too long to be included here, but there are plenty of resources available for free (such as OWASP
Threat modeling page and Microsoft for free
Threat modeling tool) that can outline the basics. The important part to remember, however, is to take into account attack techniques and specific operating methods for blockchain implementations: for example, job testing requirements, 51% attack scenarios, duplication of entries on the ledger (similar to a "double expense" situation in a cryptocurrency context), denial-of-service conditions that could affect transactions (similarly to liquidity considerations for a currency), etc.
Technique 2: software security test
In the same way, keep in mind that the software that supports a blockchain distribution is just that: the software. Many of the problems that have negatively impacted cryptocurrency implementations are basically problems with the software.
For example, the attack that
knocked down the Ethereum DAO (Decentralized Autonomous Operation – an organization that operates entirely using smart contracts) was basically a software error (ie a buggy code) rather than an attack on the underlying blockchain.
Therefore, the impact of software errors is crucial for blockchain applications just as they are for any other application. Therefore, just as you might consider using static or dynamic application security testing for any other production application, you should also consider doing it for blockchain applications, especially for internally written software or heavily customized (for example, from open source implementations).
Technique 3: environmental tests
In addition to evaluating the application and implementation of blockchain, it is important to validate the environment that supports blockchain. This means testing the systems and supporting the technology on which the blockchain elements will be executed.
This may include vulnerability scanning and system review in the case of components on the site, as well as vendor verification if a Blockchain as a Service platform is used or if other cloud components are used as part of the deployment substrate.
Technique 4: monitoring of results
Finally, as with anything, monitoring results is obviously important for successful validation. Unlike previous techniques, obviously it is only possible to do such a large monitoring before the implementation is active.
However, the judicious use of monitoring can help uncover business, technology or other impacts that could be emerging in nature – that is, only coming to light in scale once transactions begin to be recorded in the ledger.
These are not the only techniques that can be used to help validate a blockchain distribution, of course. That said, each of these elements can provide value regardless of the specific implementation or the business use case of the blockchain distribution in question.
Each of these approaches provides value regardless of specific business goals, particular security requirements or implementation details of the blockchain implementation itself.
The opinions expressed in this article are those of the author and do not necessarily reflect the opinions of the ECT News Network.