So, the earlier security professionals discovers and understand the weaknesses of blockchain the better in order for us to help protect it
And we'd better do it fast. Blockchain is becoming the "biometric" of our day: the magic cure-all that fixes everything we don't understand ...
Blockchain lacks enterprise security frameworks and associated controls: Rather like the chain of trust, including that of Public Key Infrastructure (PKI) you need to look under the hood and simply ask the questions:
To quote Hal Finney:
"Bitcoin seems to be a very promising idea. I like the idea of basing security on the assumption that the CPU power of honest participants outweighs that of the attacker. It is a very modern notion that exploits the power of the long tail.”
There was a lot of game theory going into blockchain(assuming you don't live in sociopath central), and while the philosophy is sound we do have to look at the weakest link.
If you think about it form a classical engineering standpoint joints between materials of different hardness and toughness can be problematic, applying it to new technologies - sixty odd years ago DeHaviland Comets were popping like balloons because(simplifying) - square corners on windows.
Blockchain itself isn't the problem, it's how it's used, developed and tested. you assume that your HSM keeps the private key all nice and secure, but then a new attack comes along and maybe you need this:
But then what of this:
Does anyone have any information or some sort of nugget on BlockChain Security?
Or some BlockChain Security Hygiene.
Are you talking about implementing a Private, Public, or Hybrid BlockChain?
If it's private, then really you're talking about all the standard protective measures applied to your most critical systems along with proper crypto key management.
If it's public then what we are talking about is trusting a public consensus. There is an assumption in the public blockchain implementations that the participants doing the "mining" or keeping the ledger are all altruistic. However it's theoretically possible to attack the blockchain by overwhelming it with unaffiliated zombies (any group, such as a mining club, that can perform 51% of the transactions causes the chain to fail).
Hybrid Public/Private systems introduce vulnerabilities into the whole system from the vectors present in the respective parts.
The real issue is that, however it started out, blockchain has now become kind of a marketing term: it means whatever the vendor selling it to you thinks it means. (Which is not necessarily what you need it to mean.)
At base, it is an amalgamation of two ideas. Digital signing of transactions, and a distributed database of those transactions and signatures.
Beyond that, we have implementation details. And those, as always, are where the problems arise.
Are you really serious about the signatures? Are you doing confidentiality, or just the authentication? How serious is your signature algorithm? What about key management? Have you got all the bits you need for a full PKI? Are you using a heirarchical model or web of trust?
And these are only the beginning of the questions. On the signature side.
How are you going to distribute the transaction ledger? Is it going to be full everywhere? Is it going to be full anywhere? How can it be accessed and checked? Will a complete examination of the register identify an individual even if a single transaction doesn't?
So, ultimately, the answer to your question is "no." There isn't any nugget. There isn't any cheat sheet. The hygiene depends upon what you build or buy.
And that's why BLOCKCHAIN IS NOT THE ANSWER.
(Blockchain isn't even the question. Even if the answer is "no.")
Nice article, thanks for sharing.
I am not able to find the part 2 of this series, appreciate if you can share the link for that too.