What are the essential security tests for a blockchain?
I mean if I wanna be assure about security of a particular blockchain (either PoW or PoS), what kind of test I should do?
any source, link hint, tip or comment is welcomed.
Related
Why do we have to fix security vulnerabilities on the libraries that we use only in testing scope?
I've been trying to find the answer online but no luck so thought of asking here.
For example:
https://nvd.nist.gov/vuln/detail/CVE-2021-23463 I found this vulnerability but H2 was included as <scope>test</scope> in maven.
Testing code does not get shipped to production environment, so I was wondering why do we have to fix such vulnerabilities if it's only vulnerable in testing scope.
Thanks in advance!
TL;DR - It is probably more work to figure out if it is safe to not fix a vulnerability (in your tests) than to just fix the vulnerability.
Why do we have to fix security vulnerabilities on the libraries that we use only in testing scope?
I can think of a couple of reasons why you might have to fix the vulnerabilities:
Because your management, or the security team tells you that you have to. They may tell you this for reason of compliance to some internal policy, or some external compliance rules ... or even for legal reasons. Or maybe because someone has a "thing" about it. They may not distinguish between production and test code.
Because you are unable to conclusively show that the vulnerabilities in the test scope do not constitute a risk.
For example, could the vulnerability be exploited by a bad actor who has access to your CI infrastructure? Can you demonstrate that that is not possible? Or that that would not provide a way to do significant damage ... to something that matters?
And the converse is:
IF management doesn't say that you have to fix them AND you can conclusively show that the vulnerability is NOT a risk in your test infrastructure THEN you could decide to not fix them.
HOWEVER if your assessment is in incorrect THEN the blame and consequences will fall on you.
In short ... you need to decide if you should take the risk of ignoring the vulnerability.
Tests will likely be run by CI on your internal infrastructure. Or just on your developer machines. They will be run somewhere that is more or less internal to your infrastructure.
A vulnerability can be exploited in many ways, the one you mentioned is an XXE. A malicious xml file can be used to do stuff on the host that processes it. This might allow an internal unprivileged attacker (eg. a developer) to compromise CI that might have access to more valuable credentials. Or it might allow an external attacker to compromise a developer PC (by somehow providing malicious xml input), and then compromise CI from there, and so on.
You can see the point, you don't just want to protect your production environment. Sure, that might be the most important, but the way to protect it is to apply defense in depth, and mitigate risks for the whole infrastructure.
Like the title suggest, I need help.
I've little experience with the blockchain, mainly a simple ERC20 token projet I did a few months ago.
Now for my bachelor thesis, i was asked the following :
Develop one or several smart contract(s) to trace the origin of the product and its
conformity certifications / administrative attributes and behaviours.
Register the product on the blockchain and deploy a validation scheme to protect it
against counterfeit
Protect the production method (recipe) as an IPR
The said "product" in this refers mainly to manufactured pieces, like a watch piece.
This project is a proof of concept more than anything else so I have no real pieces. I have to create a mockup of what could be used in a manufacture.
Now I was wondering what to use to achieve this goal. Are NFTs are a good option to insure each piece's conformity or should it be used only for the final product or else ?
I don't know all the possibilities of the technology, thus why I'm asking for help.
Any leads to what to use or tutorials would be more than welcome.
Thanks in advance
So I am new to blockchain. In fact, I am actually doing a one-year diploma for it. I found out it's incredibly hard to find accurate information online regarding blockchain. It's either a chunky mess or completely irrelevant. Right now my team's project is to work on a real-life situation where blockchain could be implemented and we chose blockchain for student credentials. We went with a Hybrid blockchain where certain personal information will be private and other stuff like credentials will be public so that educational institutes can validate them. We are supposed to be working with Hyperledger Fabric for the assignment, but we are stuck deciding whether we should be using ERC-721 Tokens or smart contracts to assign every student a unique digital asset. I am posting this here to see if I can get some help.
p.s dont mind if my concepts are completely off because its only been like a week or 2 since my classes started.
In Russia, finance academy "Active" already uses Emercoin blockchain for this purpose for years. You can use Google Translate and read the interview article.
I think, if you contact them, they will share with you their solutions and source code.
You can implement your use cases with Hyperledger Indy blockchain framework. Hyperledger Indy will suit your use cases as this blockchain framework is used to manage identities.
You can visit Indy Walkthrough demo where you can find tutorial with code based on your use cases.
You can also check the following demo:
https://www.youtube.com/watch?v=9WZxlrGMA3s
I am using a Hyperledger Fabric Blockchain.
My blockchain is "private", which means only people we accept can participate.
Right now, the blockchain is open to Internet. Is it safe ?
Should I put my Blockchain behind an API that would be in charge of Read / Write operations ?
From the "data certification" point of view, less steps between data and blockchain, the better.
Does it make sense in a security point of view ?
I don't get what you mean by blockchain being opened to internet.
If you are referring to the data structure of blocks forming a chain, it's just some files stored in peer component. If you want to discuss about it being opened, I'd rather see it as a peer component being opened to the internet.
If you manage to protect the peer component from illegal access, the only legal access Fabric provides you is through using correctly authorized certificate, so from that point on, I wouldn't worry that much.
Putting API middleware in front of the blockchain, however will provide easier interface for other users. From realistic implementation point of view, those interface will be required to some point, so it should better be protected from other security threats.
What you may want to do is to create a "standard" API for your network. This would be an app which can request for and store crypto from the CA and provides some sort of authentication mechanism to allow authorized users to then use that crypto to make requests to the network.
When you begin onboarding users to your network, you need to give them the option of using your standard API or making their own. This gives them the convenience to get started quickly by using a pre-built solution with the freedom to build their own interface into the network if they would like to.
Right now, the blockchain is open to Internet. Is it safe ?
First of all, Blockchain is secure because of its design. Blockchains stores data using certain rules that are extremely difficult for attackers to manipulate. As the numbers of block grows, it will be harder for attacker to manipulate the old block.
However, although we have a super secure blockchain system, we can't control the security of each user account or third party system.
That's why most of the security breaches in public blockchain are happening on the third party system or because of human error (not inside the blockchain).
Should I put my Blockchain behind an API that would be in charge of
Read / Write operations ?
API can be seen as a "bridge" between blockchain and us. Of course, we need this bridge to read / write Transactions to blockchain. It doesn't matter what bridge are you using, as long you can ensure the security of your bridge design.
From the "data certification" point of view, less steps between data
and blockchain, the better. Does it make sense in a security point of
view ?
One of the important aspect private blockchain is about limiting who can access into a blockchain. By limiting the user interaction, we can reduce the potential of security breach. So, the risk of having security breach can be reduced.
Anyone have suggestions for security auditing of an .NET Web Application?
I'm interested in all options. I'd like to be able to have something agnostically probe my application for security risks.
EDIT:
To clarify, the system has been designed with security in mind. The environment has been setup with security in mind. I want an independent measure of security, other than - 'yeah it's secure'... The cost of having someone audit 1M+ lines of code is probably more expensive than the development. It looks like there really isn't a good automated/inexpensive approach to this yet. Thanks for your suggestions.
The point of an audit would be to independently verify the security that was implemented by the team.
BTW - there are several automated hack/probe tools to probe applications/web servers, but i'm a bit concerned about whether they are worms or not...
Best Thing to do:
Hiring a security guy for source code analysis
Second best thing to do hiring a security guy / pentesting company for black-box analysis
Following tools will help :
Static Analysis Tools Fortify / Ounce Labs - Code Review
Consider solutions such as HP WebInspects's secure object (VS.NET addon)
Buying a blackbox application scanner such as Netsparker, Appscan, WebInspect, Hailstorm, Acunetix or free version of Netsparker
Hiring some security specialist is so much better idea (will cost more though) because they won't only find injection and technical issues where an automated tool might find, they will also find all logical issues as well.
Anyone in your situation has the following options available:
Code Review,
Static Analysis of the code base using a tool,
Dynamic Analysis of the application at run time.
Mitchel has already pointed out the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (static analysis tool, to be used in development) and PTA (that performs analysis of the application as test cases are executed during testing).
However, no tool is perfect and you can end up with false positives (fragments of your code base although not vulnerable will be flagged) and false negatives. Only a code review could solve such problems. Code reviews are expensive - not everyone in your organization would be capable of reviewing code with the eyes of a security expert.
To begin, with one can start with OWASP. Understanding the principles behind security is highly recommended before studying the OWASP Development Guide (3.0 is in draft; 2.0 can be considered stable). Finally, you can prepare to perform the first scan of your code base.
One of the first things that I have started to do with our internal application is use a tool such as Fortify that does a security analysis of your code base.
Otherwise, you might consider enlisting the services of a third-party company that specializes in security to have them test your application
Testing and static analysis is a very poor way to find security vulnerabilities, and is really a method of last resort if you haven't thought of security throughout the design and implementation process.
The problem is that you are now trying to enumerate all of the ways your application could fail, and deny those (by patching), rather than trying to specify what your application should do, and prevent everything that isn't that (by defensive programming). Since your application probably has infinite ways to go wrong and only a few things that it is meant to do, you should take an approach of 'deny by default' and allow only the good stuff.
Put it another way, it's easier and more effective to build in controls to prevent whole classes of typical vulnerabilities (for examples, see OWASP as mentioned in other answers) no matter how they may arise, than it is to go looking for which specific screwup some version of your code has. You should be trying to evidence the presence of good controls (which can be done), rather than the absence of bad stuff (which can't).
If you get somebody to review your design and security requirements (what exactly are you trying to protect against?), with full access to code and all details, that will be more valuable than some kind of black box test. Because if your design is wrong then it won't matter how well you implemented it.
We have used Telus to conduct Pen Testing for us a few times and have been impressed with the results.
May I recommend you contact Artec Group, Security Compass and Veracode and check out their offerings...