As a Web3 security company combining years of traditional security experience with a deep knowledge of Web3, the team at Arbitrary Execution has observed a common pattern play out across the industry: Security is seen as a single step in the process—one that is outsourced to “the professionals”—rather than a pursuit integrated into every step of the development life cycle. But, to be fair, how does a non-security company adopt a security-first mindset? Where is the guide? Where is the roadmap?
Today, it is our goal to begin unraveling this dilemma with our introduction of the Web3 Secure Development Life Cycle (SDLC). It is our hope that the Web3 SDLC will become a focal point for the Web3 industry as we seek to build a trusted security framework upon which all future Web3 development can be conducted.
As such, the Web3 SDLC can be described in four phases:
- Design - Securely architect and evaluate all project ideas in terms of systemic risk.
- Develop - Transform ideas into secure implementations.
- Deploy - Implement and automate secure, consistent processes for code deployment and upgrades.
- Defend - Continuously monitor the live system for operational irregularities and vulnerabilities.
Breaking it Down
Now let’s look at each of the four phases of the Web3 SDLC. While we cover the four phases at a high level here, other blog posts will describe the security best practices of each phase in greater detail. From there, we will present actionable criteria in the SDLC Security Maturity Model (SMM) that Web3 companies can use to assess their overall security maturity.
The first phase of the Web3 SDLC is Design. The design process lays the foundation for subsequent phases in the life cycle, as well as for the success of the project as a whole. However, in many projects the design phase is overlooked, and what should have served as design is often blended into the development phase. This is especially true in Web3, where the advantage of being first to market can make or break a company. Additionally, most Web3 projects think more about the viability of their product at this stage than about its security. But taking the time to think about the security of your design can save a lot of time and money down the road.
Many of the security vulnerabilities that a project inherits come from its dependencies. If your project builds upon existing libraries or protocols whose own security is weak, your project will suffer from the effects of its weakest links. If your project becomes unnecessarily complex due to a poor design, that complexity will also be an avenue for potential vulnerabilities to creep in. Failing to consider security during the design of your system can hinder future development or bug fixes, as any design bugs will be deeply entrenched in the architecture of the codebase and difficult to change. Therefore, it is essential to begin work on your project with a solid emphasis on secure design.
Once the vision has been set in the Design phase, the Develop phase is where a tangible product begins to take shape as ideas are transformed into code. The need for incorporating security into a project is nowhere more evident than in the development phase. Many of the most damaging hacks and exploits of Web3 projects have found their genesis in vulnerabilities introduced during this stage. So it is essential that projects give themselves the greatest advantage by applying secure development practices to every line of code they write.
As a developer, one of the greatest challenges to writing secure code is developing a security-focused mindset. Writing code to achieve the functional objectives of your Web3 protocol can be hard—writing it to also be secure is even harder. For many devs, the temptation to leave security concerns until a later stage is difficult to overcome. But even the smallest shift towards integrating security into your development routine will reap meaningful rewards.
The application of the SDLC’s security principles during a project’s Develop and Design phases will lead to a highly secure product that inspires confidence in both its team and users. But the work of security is not finished. There are still a number of crucial security pitfalls that can remain in the Deploy phase.
In the Design and Develop phases, the work on your project may have been secretly carried out in the privacy of a walled garden. But during the Deploy phase, your team’s work begins its journey out into the open for all the world to see. Some of the risks inherent in this stage exist within the process of migrating your code from development to test, and on to staging and production. Other risks exist in the safeguarding of your project’s private keys from compromise. And the immutability of the blockchain can lead to permanent consequences due to deployment mistakes.
Once your work is securely deployed for the world to use, there is still the need to remain vigilant in the context of security. Web3 teams that have worked to incorporate the highest levels of security into all phases of their project’s life cycle and have even had their work audited by trained security professionals can still be at risk. The complexity of Web3 protocols and their on- and off-chain interactions makes it highly possible that some undiscovered vulnerabilities still remain. Even if all security best practices were followed during a project’s creation, it is still critical to defend a project’s security after it is deployed.
Some of the risks associated with live projects revolve around the ways its users interact with it in daily use. Even when no ill intent exists on the part of users, they may interact with systems in ways that were neither predicted nor accounted for in the project’s design. On the flip side, every Web3 project is sure to face attacks by bad actors who do have ill intent and who have scrutinized every possible angle for exploitation and abuse. Some risks can even come from within the project teams themselves, and the ongoing security risks of all privileged roles within a project must be considered.
The Security Solution
Design, Develop, Deploy, Defend—with security built into the four critical phases of every project’s life cycle, the Web3 Secure Development Life Cycle aims to remedy the security deficiencies so prevalent in the Web3 world today. At Arbitrary Execution, it is our desire that the Web3 SDLC becomes both the rallying point around which the Web3 world congregates on security topics, as well as the framework that helps them forge ahead towards security maturity.
Why You Can Trust Arbitrary Execution
Arbitrary Execution (AE) is an engineering-focused organization that specializes in securing decentralized technology. Our team of security researchers leverage their offensive security expertise, tactics, techniques, and hacker mindset to help secure the crypto ecosystem. In the two years since the company’s inception, Arbitrary Execution has performed more than 50 audits of Web3 protocols and projects, as well as created tools that continuously monitor the blockchain for anomalous activity. For more information on Arbitrary Execution's professional services, contact firstname.lastname@example.org. Follow us on Twitter and LinkedIn for updates on our latest projects, including the Web3 SDLC.