SlideShare a Scribd company logo

[OPD 2019] Web Apps vs Blockchain dApps

OWASP
OWASP

Damian Rusinek

Internet
1 of 55
Download to read offline
www.securing.pldrdr_zz Damian Rusinek Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards OWASP Poland Day, Wrocław 2019 16th of October 2019
www.securing.pldrdr_zzdrdr_zz Damian Rusinek damianrusinek @ github • Pentester • Researcher • Focused on blockchain and smart contracts Security Researcher & Pentester Assistant Professor Introducing Decentralized Applications by analogy to Web Apps https://bit.ly/2kpfKkm Last year on AppSec EU London & OWASP Poland Day Warsaw drdr_zz
www.securing.pldrdr_zzdrdr_zz Web 3.0 They are using Decentralized Applications or Platforms
www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps And why are they becoming important? WHAT IS IT?
www.securing.pldrdr_zzdrdr_zz What are Decentralized Applications? • Decentralized Application are like Web Applications with decentralized storage and governance. • Web Apps • Facebook • Reddit • Decentralized Apps • Steemit (a kind of decentralized Reddit)
www.securing.pldrdr_zzdrdr_zz Why are Decentralized Applications important? • There exist great projects already: • Augur (decentralized oracle and prediction market), • Gnosis (prediction platform), • MakerDAO (decentralized finance). • The market is worth billions of $ in cryptocurrencies. • A chance for new technologies (e.g. financial technology) • Easy decentralized banking, • No brokers (direct payments). • Big players: • Hyperledger (Linux Foundation, IBM, Intel, SAP), • Libra (Facebook).
www.securing.pldrdr_zzdrdr_zz What is so special about Decentralized Apps? • Trustlessness: Use blockchain to store code and data (state). • No one can turn it off permanently (anyone can bring it to live). • Everyone can have it (like keeping the database of FB or Reddit locally).
www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps ARE THOSE SECURE?
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still…. Expectations Reality
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps WE NEED SECURITY!
www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit?
www.securing.pldrdr_zz www.securing.pldrdr_zz SCSVS - Smart Contracts Security Verification Standard
www.securing.pldrdr_zzdrdr_zz • Objectives: • Provide a checklist for architects, developers and security reviewers. • Help to mitigate known vulnerabilities by design. • Help to develop high quality code of the smart contracts. • Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. • Format similar to ASVS. SCSVS - Objectives
www.securing.pldrdr_zzdrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
www.securing.pldrdr_zzdrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
www.securing.pldrdr_zzdrdr_zz • Approaches • OWASP SAMM • SDL (Security Development Lifecycle) • BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
www.securing.pldrdr_zzdrdr_zz Similiarities • Threat modelling SDLC – Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
www.securing.pldrdr_zzdrdr_zz Differences – Sensitive data SDLC – Analysis & Requirements Web Apps • Stored in protected database Decentralized Apps • Stored on public blockchain • Forever • Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements Web Apps • Allowed only to part of application • Frontend • API Decentralized Apps • Allowed to the whole application • Code is public • Functions are public by default
www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements • Parity Wallet hack • 150k ETH stolen (~30kk $) • https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified.
www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements Web Apps • A matter of a function call Decentralized Apps • Not trivially achieved in the decentralized computer • No local parameters can be used
www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements • EOSPlay hack • 30k EOS stolen (~100k USD) • SmartBillions Lottery hack • 400 ETH stolen (~80k USD) • https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Miners/Validators • Validate transactions and add new blocks
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Augur vulnerability • DoS on smart contract • Business logic abuse by miner • 5k $ bounty https://hackerone.com/reports/377398
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Design SDLC
www.securing.pldrdr_zzdrdr_zz Similiarities • Least privilege rule • Access control • Public and known to everyone • Centralized and simple SDLC – Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design Web Apps • Infinite loops -> DoS Decentralized Apps • Unbound loops -> DoS
www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design • GovernMentals • A ponzi scheme • Iteration over a huge array • 1100 ETH frozen • https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
www.securing.pldrdr_zzdrdr_zz Decreasing the risk SDLC – Design • Decentralized Applications keep cryptocurrencies • The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Implementation SDLC
www.securing.pldrdr_zzdrdr_zz • Great tools • Perform basic security analysis • But we still make bugs. • Sounds familiar? ☺ SDLC – Implementation
www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation Web Apps • Not that common Decentralized Apps • Overflows and underflows
www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation • Multiple ERC20 Smart Contracts • Allow to transfer more than decillions (10^60) of tokens • https://bit.ly/2lWa9ma • https://bit.ly/2ksNEF1
www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
www.securing.pldrdr_zzdrdr_zz Differences – Recursive calls SDLC – Implementation Web Apps • Must be explicitly included in the logic Decentralized Apps • Executing some logic multiple times in one call • The DAO hack • Recursive withdrawals • 3.6 mln ETH stolen • https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Testing SDLC
www.securing.pldrdr_zzdrdr_zz Similarities – Great tools for automatic scans SDLC – Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
www.securing.pldrdr_zzdrdr_zz Similiarities – Ensuring the testing takes place • including manual security tests SDLC – Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
www.securing.pldrdr_zzdrdr_zz Similiarities – Business logic errors • Hard to find using automated scans • MakerDAO vulnerability • Allows to create DAI cryptocurrency without coverage • 25k $ bounty SDLC – Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Deployment SDLC
www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment Web Apps • Setting up configurations and integrations • Performed once during deployment Decentralized Apps • Setting up configurations and integrations • What if one can (re-)initialize the contract?
www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment • Parity Wallet hack (2nd): • Kill contract shared by hundreds of other contracts • 500k ETH frozen (~100kk USD) • https://bit.ly/2kIBYhA • https://bit.ly/2kpfKkm
www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Maintenance SDLC
www.securing.pldrdr_zzdrdr_zz Similarities – Logs SDLC – Maintenance Web Apps • Kept safe on the server Decentralized Apps • Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
www.securing.pldrdr_zzdrdr_zz Differences – Security Alert and Fix SDLC – Maintenance Web Apps • Application goes down • The bug is fixed (patch) • Application redeployed Decentralized Apps • Smart contract goes down • The bug is fixed (patch) • Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit? SCSVS
www.securing.pldrdr_zzdrdr_zz V13: Known attacks SCSVS – The special category • Quick check for well known attacks 13.4 Verify that the contract is not vulnerable to Silent Failing Sends and Unchecked-Send attacks. [4.6] Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked. [4.7] Verify that the third party contracts do not shadow special functions (e.g. revert). 13.2 Verify that the contract is not vulnerable to Reentrancy attack. [4.5] Verify that the re-entrancy attack is mitigated by blocking recursive calls from the other contracts. Do not use call and send functions unless it is a must.
www.securing.pldrdr_zz Thank you! Damian.Rusinek@securing.pl @drdr_zz Free 13-part security checklist Want a security audit of smart contract? Go for SCSVS!

Recommended

[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computingOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 

Recommended

[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computingOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssistBryan Ferrario
 
A Deep Dive into Spring Application Events
A Deep Dive into Spring Application EventsA Deep Dive into Spring Application Events
A Deep Dive into Spring Application EventsVMware Tanzu
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 

More Related Content

What's hot

Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssistBryan Ferrario
 
A Deep Dive into Spring Application Events
A Deep Dive into Spring Application EventsA Deep Dive into Spring Application Events
A Deep Dive into Spring Application EventsVMware Tanzu
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 

What's hot (20)

Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
 
A Deep Dive into Spring Application Events
A Deep Dive into Spring Application EventsA Deep Dive into Spring Application Events
A Deep Dive into Spring Application Events
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 

Similar to [OPD 2019] Web Apps vs Blockchain dApps

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 
Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Capital Numbers
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trustZscaler
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfMobiloitte Technologies
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainAhmed Banafa
 
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...PROIDEA
 
Algorand Technical Workshop 2021
Algorand Technical Workshop 2021Algorand Technical Workshop 2021
Algorand Technical Workshop 2021DanielBohnemann
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance WebinarGrafic.guru
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Blockchain on Azure
Blockchain on AzureBlockchain on Azure
Blockchain on AzureNuri Cankaya
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Diego Alberto Tamayo
 
Blockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMBlockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMDiego Alberto Tamayo
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 

Similar to [OPD 2019] Web Apps vs Blockchain dApps (20)

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
 
Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
 
Block chain technology
Block chain technology Block chain technology
Block chain technology
 
Block chain technology
Block chain technologyBlock chain technology
Block chain technology
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : Blockchain
 
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
 
Algorand Technical Workshop 2021
Algorand Technical Workshop 2021Algorand Technical Workshop 2021
Algorand Technical Workshop 2021
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance Webinar
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Blockchain on Azure
Blockchain on AzureBlockchain on Azure
Blockchain on Azure
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBM
 
Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm
 
Blockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMBlockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBM
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 

More from OWASP

[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOCOWASP
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzingOWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security WorldOWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the PipelineOWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the PipelineOWASP
 
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient softwareOWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient softwareOWASP
 
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...OWASP
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP
 

More from OWASP (20)

[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the PipelineOWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
 
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient softwareOWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
 
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
 

Recently uploaded

Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdfkeithzhangding
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 

Recently uploaded (20)

Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 

[OPD 2019] Web Apps vs Blockchain dApps

  • 1. www.securing.pldrdr_zz Damian Rusinek Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards OWASP Poland Day, Wrocław 2019 16th of October 2019
  • 2. www.securing.pldrdr_zzdrdr_zz Damian Rusinek damianrusinek @ github • Pentester • Researcher • Focused on blockchain and smart contracts Security Researcher & Pentester Assistant Professor Introducing Decentralized Applications by analogy to Web Apps https://bit.ly/2kpfKkm Last year on AppSec EU London & OWASP Poland Day Warsaw drdr_zz
  • 3. www.securing.pldrdr_zzdrdr_zz Web 3.0 They are using Decentralized Applications or Platforms
  • 4. www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps And why are they becoming important? WHAT IS IT?
  • 5. www.securing.pldrdr_zzdrdr_zz What are Decentralized Applications? • Decentralized Application are like Web Applications with decentralized storage and governance. • Web Apps • Facebook • Reddit • Decentralized Apps • Steemit (a kind of decentralized Reddit)
  • 6. www.securing.pldrdr_zzdrdr_zz Why are Decentralized Applications important? • There exist great projects already: • Augur (decentralized oracle and prediction market), • Gnosis (prediction platform), • MakerDAO (decentralized finance). • The market is worth billions of $ in cryptocurrencies. • A chance for new technologies (e.g. financial technology) • Easy decentralized banking, • No brokers (direct payments). • Big players: • Hyperledger (Linux Foundation, IBM, Intel, SAP), • Libra (Facebook).
  • 7. www.securing.pldrdr_zzdrdr_zz What is so special about Decentralized Apps? • Trustlessness: Use blockchain to store code and data (state). • No one can turn it off permanently (anyone can bring it to live). • Everyone can have it (like keeping the database of FB or Reddit locally).
  • 8. www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
  • 9. www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
  • 11. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
  • 12. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still….
  • 13. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? • Undestroyable: No one can turn it off • Cryptographically secure: All transactions are digitally signed • Publicly verifiable: Anyone can verify the code of smart contracts • But still…. Expectations Reality
  • 14. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps WE NEED SECURITY!
  • 15. www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit?
  • 16. www.securing.pldrdr_zz www.securing.pldrdr_zz SCSVS - Smart Contracts Security Verification Standard
  • 17. www.securing.pldrdr_zzdrdr_zz • Objectives: • Provide a checklist for architects, developers and security reviewers. • Help to mitigate known vulnerabilities by design. • Help to develop high quality code of the smart contracts. • Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. • Format similar to ASVS. SCSVS - Objectives
  • 18. www.securing.pldrdr_zzdrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
  • 19. www.securing.pldrdr_zzdrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
  • 20. www.securing.pldrdr_zzdrdr_zz • Approaches • OWASP SAMM • SDL (Security Development Lifecycle) • BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
  • 21. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
  • 22. www.securing.pldrdr_zzdrdr_zz Similiarities • Threat modelling SDLC – Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
  • 23. www.securing.pldrdr_zzdrdr_zz Differences – Sensitive data SDLC – Analysis & Requirements Web Apps • Stored in protected database Decentralized Apps • Stored on public blockchain • Forever • Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
  • 24. www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements Web Apps • Allowed only to part of application • Frontend • API Decentralized Apps • Allowed to the whole application • Code is public • Functions are public by default
  • 25. www.securing.pldrdr_zzdrdr_zz Differences – Public access SDLC – Analysis & Requirements • Parity Wallet hack • 150k ETH stolen (~30kk $) • https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified.
  • 26. www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements Web Apps • A matter of a function call Decentralized Apps • Not trivially achieved in the decentralized computer • No local parameters can be used
  • 27. www.securing.pldrdr_zzdrdr_zz Differences – Randomness SDLC – Analysis & Requirements • EOSPlay hack • 30k EOS stolen (~100k USD) • SmartBillions Lottery hack • 400 ETH stolen (~80k USD) • https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
  • 28. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Miners/Validators • Validate transactions and add new blocks
  • 29. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis • Augur vulnerability • DoS on smart contract • Business logic abuse by miner • 5k $ bounty https://hackerone.com/reports/377398
  • 30. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC – Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
  • 31. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Design SDLC
  • 32. www.securing.pldrdr_zzdrdr_zz Similiarities • Least privilege rule • Access control • Public and known to everyone • Centralized and simple SDLC – Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
  • 33. www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design Web Apps • Infinite loops -> DoS Decentralized Apps • Unbound loops -> DoS
  • 34. www.securing.pldrdr_zzdrdr_zz Differences – Loops SDLC – Design • GovernMentals • A ponzi scheme • Iteration over a huge array • 1100 ETH frozen • https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
  • 35. www.securing.pldrdr_zzdrdr_zz Decreasing the risk SDLC – Design • Decentralized Applications keep cryptocurrencies • The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
  • 36. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Implementation SDLC
  • 37. www.securing.pldrdr_zzdrdr_zz • Great tools • Perform basic security analysis • But we still make bugs. • Sounds familiar? ☺ SDLC – Implementation
  • 38. www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation Web Apps • Not that common Decentralized Apps • Overflows and underflows
  • 39. www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation • Multiple ERC20 Smart Contracts • Allow to transfer more than decillions (10^60) of tokens • https://bit.ly/2lWa9ma • https://bit.ly/2ksNEF1
  • 40. www.securing.pldrdr_zzdrdr_zz Similarities – Arithmetic bugs SDLC – Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
  • 41. www.securing.pldrdr_zzdrdr_zz Differences – Recursive calls SDLC – Implementation Web Apps • Must be explicitly included in the logic Decentralized Apps • Executing some logic multiple times in one call • The DAO hack • Recursive withdrawals • 3.6 mln ETH stolen • https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
  • 42. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Testing SDLC
  • 43. www.securing.pldrdr_zzdrdr_zz Similarities – Great tools for automatic scans SDLC – Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
  • 44. www.securing.pldrdr_zzdrdr_zz Similiarities – Ensuring the testing takes place • including manual security tests SDLC – Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
  • 45. www.securing.pldrdr_zzdrdr_zz Similiarities – Business logic errors • Hard to find using automated scans • MakerDAO vulnerability • Allows to create DAI cryptocurrency without coverage • 25k $ bounty SDLC – Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
  • 46. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Deployment SDLC
  • 47. www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment Web Apps • Setting up configurations and integrations • Performed once during deployment Decentralized Apps • Setting up configurations and integrations • What if one can (re-)initialize the contract?
  • 48. www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment • Parity Wallet hack (2nd): • Kill contract shared by hundreds of other contracts • 500k ETH frozen (~100kk USD) • https://bit.ly/2kIBYhA • https://bit.ly/2kpfKkm
  • 49. www.securing.pldrdr_zzdrdr_zz Differences – Initialization stage SDLC – Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
  • 50. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Maintenance SDLC
  • 51. www.securing.pldrdr_zzdrdr_zz Similarities – Logs SDLC – Maintenance Web Apps • Kept safe on the server Decentralized Apps • Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
  • 52. www.securing.pldrdr_zzdrdr_zz Differences – Security Alert and Fix SDLC – Maintenance Web Apps • Application goes down • The bug is fixed (patch) • Application redeployed Decentralized Apps • Smart contract goes down • The bug is fixed (patch) • Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
  • 53. www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps • Most common vulnerabilities? • OWASP Top 10 • The knowledge base about the weaknesses? • Mitre CWE (Common Weakness Enumeration) • The end to end security checklist to perform an audit? • OWASP ASVS (Application Security Verification Standard) Decentralized Apps • Most common vulnerabilities? • DASP Top 10 (https://dasp.co) • The knowledge base about the weaknesses? • SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) • The end to end security checklist to perform an audit? SCSVS
  • 54. www.securing.pldrdr_zzdrdr_zz V13: Known attacks SCSVS – The special category • Quick check for well known attacks 13.4 Verify that the contract is not vulnerable to Silent Failing Sends and Unchecked-Send attacks. [4.6] Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked. [4.7] Verify that the third party contracts do not shadow special functions (e.g. revert). 13.2 Verify that the contract is not vulnerable to Reentrancy attack. [4.5] Verify that the re-entrancy attack is mitigated by blocking recursive calls from the other contracts. Do not use call and send functions unless it is a must.
  • 55. www.securing.pldrdr_zz Thank you! Damian.Rusinek@securing.pl @drdr_zz Free 13-part security checklist Want a security audit of smart contract? Go for SCSVS!