web1-3 | cybersec | buidl for good | stoic | she/her | neurodivergent
web1-3 | cybersec | buidl for good | stoic | she/her | neurodivergent
Subscribe to az19
Subscribe to az19
Share Dialog
Share Dialog
<100 subscribers
<100 subscribers
A simple login to Twitter today showed a lot more community engagement around various projects and not just domain names. While this is great for the Web3 space and general good news for everyone (this year has been rough so let’s celebrate every little win) it does come with a lot of people and projects working hard to push product to market. This and a general disregard for basic software engineering practices and adherence to web security will see more hacks and heartaches.
I’ve often been asked how these hacks happen when everyone keeps saying that Web3 and blockchain technology is more secure? Well, there are a few reasons for some of these hacks in my experience:
Everyone claims to be able to write code.
It’s fantastic that more folks want to write code, design solutions and solve problems but with each line of code comes responsibility.
It’s one thing to write code, it’s another thing to understand the importance of the code that you write. Simple things like variable scope, public or private variables and methods. These basic principles of each programming language are there for a reason; read them, learn them, understand them and use them correctly.
Know your components
Open source is great and allows us to build faster but just because something was not vulnerable yesterday does not mean that is not vulnerable today.
Not everyone who contributes to the OSS package repos is doing this for great reasons. The nefarious contributors are also contributing to the same OSS repos so KNOW EXACTLY WHAT YOUR APPLICATION COMPONENTS ARE AND KEEP THEM UP TO DATE.
There are a number of free opensource tools that you can use in your source repo to scan your apps and dApps for basic security misconfigurations and known vulnerabilities. This not only helps you build a dependency list or SBOM (software bill of materials) but it helps you pick up the low hanging security issues without requiring a security engineer to help you find these issues.
HTTP what?
If you’re going to be building software that is deployed to the masses you should probably spend some time understanding the infrastructure and protocols that your applications run on.
HTTP our bestie HTTP is a great protocol with many verbs and response headers. You send HTTP request methods can either be safe, cacheable or idempotent… know when to use which to prevent misuse by an adversary.
GET
HEAD
POST
PUT
DELETE
CONNECT
OPTIONS
TRACE
PATCH
I could go on and on and write guidelines and share horror stories but that is not the idea of my posts. I love patterns and problem solving in general so when I looked at the various OWASP Top 10 lists again recently, I noticed that some of the same issues have been there for almost a decade. This says to me that we’re still not getting the basics right and are creating insure software and the very same Web2 software engineers are also building on and for Web3. Also, new developers are coming in to the Web3 space and don’t even know about the security concerns in Web2 applications and will most likely repeat the same mistakes as their predecessors. So what now? I have no clue yet how to scale and educate developers enough on the basics of AppSec and how to make it super easy to understand and implement in a way that ensures that we don’t carry the Web2 security issues into Web3. This makes me excited though, this is a challenge and one I look forward to solving in some ways because whatever we have been doing is not working, we need another approach to build faster and more securely.
A simple login to Twitter today showed a lot more community engagement around various projects and not just domain names. While this is great for the Web3 space and general good news for everyone (this year has been rough so let’s celebrate every little win) it does come with a lot of people and projects working hard to push product to market. This and a general disregard for basic software engineering practices and adherence to web security will see more hacks and heartaches.
I’ve often been asked how these hacks happen when everyone keeps saying that Web3 and blockchain technology is more secure? Well, there are a few reasons for some of these hacks in my experience:
Everyone claims to be able to write code.
It’s fantastic that more folks want to write code, design solutions and solve problems but with each line of code comes responsibility.
It’s one thing to write code, it’s another thing to understand the importance of the code that you write. Simple things like variable scope, public or private variables and methods. These basic principles of each programming language are there for a reason; read them, learn them, understand them and use them correctly.
Know your components
Open source is great and allows us to build faster but just because something was not vulnerable yesterday does not mean that is not vulnerable today.
Not everyone who contributes to the OSS package repos is doing this for great reasons. The nefarious contributors are also contributing to the same OSS repos so KNOW EXACTLY WHAT YOUR APPLICATION COMPONENTS ARE AND KEEP THEM UP TO DATE.
There are a number of free opensource tools that you can use in your source repo to scan your apps and dApps for basic security misconfigurations and known vulnerabilities. This not only helps you build a dependency list or SBOM (software bill of materials) but it helps you pick up the low hanging security issues without requiring a security engineer to help you find these issues.
HTTP what?
If you’re going to be building software that is deployed to the masses you should probably spend some time understanding the infrastructure and protocols that your applications run on.
HTTP our bestie HTTP is a great protocol with many verbs and response headers. You send HTTP request methods can either be safe, cacheable or idempotent… know when to use which to prevent misuse by an adversary.
GET
HEAD
POST
PUT
DELETE
CONNECT
OPTIONS
TRACE
PATCH
I could go on and on and write guidelines and share horror stories but that is not the idea of my posts. I love patterns and problem solving in general so when I looked at the various OWASP Top 10 lists again recently, I noticed that some of the same issues have been there for almost a decade. This says to me that we’re still not getting the basics right and are creating insure software and the very same Web2 software engineers are also building on and for Web3. Also, new developers are coming in to the Web3 space and don’t even know about the security concerns in Web2 applications and will most likely repeat the same mistakes as their predecessors. So what now? I have no clue yet how to scale and educate developers enough on the basics of AppSec and how to make it super easy to understand and implement in a way that ensures that we don’t carry the Web2 security issues into Web3. This makes me excited though, this is a challenge and one I look forward to solving in some ways because whatever we have been doing is not working, we need another approach to build faster and more securely.
No activity yet