According to Crunchbase data, in 2021, VC money invested in the field of encryption security (Security & Regtech) has exceeded $1 billion. Note that this figure is less than $100 million in total venture capital in 2020.
From the above data, in 2021, investment in new Web3 security companies has increased by more than 10 times, which to some extent reflects the necessity of security for the entire industry. The success of Web3 depends on innovative models, especially to solve the new security challenges brought by different application architectures. In Web3, the establishment of decentralized applications or "dApps" does not depend on the traditional application logic and data layers existing in Web 2.0; , to manage the logic and state of the decentralized internet. From the user's point of view, it is still necessary to interact and update data by accessing a front end connected to these nodes. One scenario is: publishing new content or purchasing NFTs and other similar behaviors. This kind of user behavior requires the use of private keys to sign transactions, and the private keys are usually managed by wallets. This mode is to protect users' control and privacy. Transactions on the blockchain are fully transparent, publicly accessible, and immutable.
status quo The pursuit of personal ownership and data sovereignty will also cause various security issues (because of differences in the level of individual understanding and familiarity with security knowledge), but these security issues should not become obstacles to the development of Web3. Let's look back in history: the similarities between Web 1.0 and Web 2.0. The original version of SSL/TLS had serious vulnerabilities. Early security tools are usually rudimentary and further refined over time. From a certain perspective, Web3 security companies and projects, such as Certik, Forta, Slithe, and Securify, are the equivalent of code scanning and application security testing tools originally developed for Web 1.0 and Web 2.0 applications. However, in Web 2.0, a very important part of the security model is about the response. In Web3, a transaction cannot be changed once it is executed, so the idea of security is usually that mechanisms need to be established to verify whether the transaction should have the conditions for security, and then proceed, that is, security must be better in terms of prevention. The Web3 community must think about how to plan technically, address systemic weaknesses, and prevent and prevent new attack vectors that target cryptographic primitives and smart contract vulnerabilities.
There are four directions below, which can promote the prevention of Web3 security model. four directions Source-of-truth data for vulnerabilities There needs to be a source of truth for known Web3 (project) vulnerabilities and weaknesses. Today, there are already official vulnerability databases that provide core data for vulnerability management projects. Web3 requires decentralized data correspondence work to eliminate information asymmetry. Currently, with incomplete (vulnerabilities, exposures, etc.) information scattered across the likes of SWC Registry, Rekt, Smart Contract Attack Vectors and DeFi Threat Matrix, Immunefi runs a bug bounty program to better find new weaknesses. Security decision-making norms In Web3, key security design choices, and event decision models are still being explored. Decentralization means that no one can take full responsibility for these problems, and the impact on users can be huge. The recent Log4j vulnerability, for example, is a wake-up call to leave security concerns to the decentralized community. What is the Log4j vulnerability? The Java open source tool log4j2 suddenly exposed a remote code execution vulnerability in December last year (a vulnerability that malicious actors can exploit to install malware on affected systems). Log4j2 is an open source log component tool applied to Java, which is widely used in business systems by many world-leading companies, well-known organizations and enterprises including Google, Microsoft, Amazon, etc.
Log4j2 is maintained by volunteers at the non-profit Apache Software Foundation. Therefore, it is necessary to further clarify how DAOs, security experts, Web3 infrastructure providers such as Alchemy and Infura, and other relevant departments cooperate to deal with emergent security issues. However, you can refer to the experience of large open source communities forming OpenSSF and CNCF advisory groups to establish processes for dealing with security issues. Authentication and signing Most dApps on the market today, many do not have authentication or signatures for API responses. This means that when the user's wallet retrieves data from these DApps, there is a risk in verifying that such responses are from the intended (real and not fake) application and that the data has been tampered with. In a world where Dapps do not have the best way to adopt basic security routines, users can only confirm their security status and credibility. This is very difficult, and there really needs to be a better way to alert users to risks .
Better key management experience (Easier, user-controlled key management) Key management is the basis for users to conduct transactions in the Web3 paradigm. Keys are also notoriously difficult to manage, and much of the encryption business has and will continue to revolve around key management. The complexity and risk of managing private keys is also one of the main reasons why users choose custodial wallets over non-custodial wallets. However, the use of escrow wallets will lead to new phenomena: new "intermediary products", such as Coinbase, will be generated, which will be detrimental to the direction and ideal of Web3's complete decentralization; to a certain extent, it will also limit users' use of Web3 The ability to provide all the advantages. Ideally, further security innovations will provide users with better usability protection user experience in unmanaged scenarios. Notably, the first two (truth-source vulnerability data and prescriptive security decisions) initiatives revolve more around people and processes, while the third and fourth require new technological changes. Keeping new technologies, new processes, and large numbers of users in sync is one of the challenges of Web3 security. However, one thing is still very encouraging: Web3 security innovation is carried out in an open, open source environment, and creative solutions will emerge in such a scenario.
Twitter:@Raca_Doge