In our recent blog post on The Current State of Web3 Security Criteria, we provided an overview of existing security frameworks and examined the advantages and disadvantages of each one. Overall, what we found was that each framework was lacking in varying areas. Some frameworks tried to combine all criteria into a single score, which created incorrect equivalency between unrelated criteria. Other frameworks focused exclusively on specific portions of security, such as key management, which made them useful to only a small subset of Web3 projects. Security is incremental, and as such, it is our desire to improve the current landscape of Web3 security criteria with the introduction of a new comprehensive framework with its own criteria that aims to address the shortcomings we have identified in existing frameworks.
In previous blog posts, we introduced the Web3 Secure Development Life Cycle (SDLC) as a modern framework for the secure development of today’s Web3 projects. Because the information provided in the SDLC is primarily descriptive, an additional component is needed to allow Web3 projects to assess their current security maturity and provide concrete and actionable guidance towards improvement. It is in this role that we introduce the Web3 Security Maturity Model (SMM).
An SMM is like a security report card. It helps projects know their security “grade” within a security framework like the SDLC. It does this by breaking down each area of guidance in the security framework into specific, measurable criteria. Projects then use these criteria like a checklist, grading their level of security against each metric. In the end, the SMM provides the big picture of a project’s overall security posture, and provides specific, actionable goals that teams can use to correct any shortcomings they find.
The SMM is organized in a hierarchy starting with the four phases of the SDLC: Design, Develop, Deploy, and Defend. In the SMM, these four phases are called “domains.” Within each domain, a list of measurement criteria are provided. The criteria are where the rubber meets the road in the SMM. Each criterion is used by Web3 teams to ask themselves the question, “Does my project meet the specific security requirements outlined?” The criteria are what actually give the insight into how secure a project is.
Because there are many criteria in each of the four SMM domains, one additional level of organization is added to the SMM hierarchy. This additional level is “subdomains,” which group criteria in each domain by similarity. For example, in the Design domain, the Documentation subdomain groups all the documentation-related security criteria. The following graphic presents an overview of the SMM hierarchy:
A table is used for each of the SMM subdomains to present all relevant security criteria, as in the following example:
The table lists each of the subdomain’s security criteria in its own row. Within the row, there are three columns titled “Minimum”, “Improved”, and “Advanced.” These three columns list the specific steps that must be taken to achieve the noted level of security maturity. To achieve a particular level of security maturity, your project must implement all security steps listed in that column.
The steps listed in the Minimum, Improved, and Advanced columns are not always additive or cumulative as you move from Minimum to Advanced. In most cases, the criteria within a given SMM are iterative. For example, the Minimum column for a criterion may require that you have implemented a manual security process, while the Improved column requires you to have automated that same security process.
In this post, we have presented an introduction to the Web3 Security Maturity Model. In upcoming posts, we will present further details on the subdomains and criteria that make up each of the four Web3 SDLC phases and the specific steps projects can take for each criterion to achieve security maturity.
Why You Can Trust Arbitrary Execution
Arbitrary Execution (AE) is an engineering-focused organization that specializes in securing decentralized technology. Our team of security researchers leverage their offensive security expertise, tactics, techniques, and hacker mindset to help secure the crypto ecosystem. In the two years since the company’s inception, Arbitrary Execution has performed more than 50 audits of Web3 protocols and projects, as well as created tools that continuously monitor the blockchain for anomalous activity. For more information on Arbitrary Execution's professional services, contact firstname.lastname@example.org. Follow us on Twitter and LinkedIn for updates on our latest projects, including the Web3 SDLC.