Owner security

A series of multi-million dollar hacks creates a booming business for blockchain security experts

Written by Tonya Riley

Even though cryptocurrency markets are facing economic turmoil, there is one segment of blockchain-based industries where business is booming: blockchain security.

An industry of audit firms formed over the past few years to cope with emerging technology now boasts of waiting up to a year to even start working with clients and a growing list of job vacancies that ‘they can’t fill fast enough.

And investors are also flocking to get a piece of the action, pumping millions of dollars into companies that promise to help protect an increasingly fragile cryptocurrency ecosystem.

From the outside, the race for security looks like a long overdue course correction for an industry now plagued by near-weekly multimillion-dollar hacks. However, not all industry security experts necessarily see the business boom as an absolute win for the industry, they tell CyberScoop. Instead, they say it points to a much deeper challenge for the industry: cultivating the kind of security talent needed to keep a growing financial industry safe under the constant threat of hacks.

“It’s not a good thing that there is a reliance on endpoint consultants for the basic skills required to build blockchain software,” said Dan Guido, founder of the security firm. Trail of Bits.

Crypto companies hire Trail of Bits to independently audit their code for vulnerabilities, a process that Guido says reassures the company but isn’t the same level of security as full or ongoing security reviews.

While experts like Guido adamantly advise that companies integrate other security processes into their development and review processes, external audits have become a crutch for an industry hampered by a lack of blockchain security experts.

“It’s not a good thing that there is a reliance on terminal consultants for the basic skills required to build blockchain software.”

Dan Guido, founder of Trail of Bits.

“You have a talent shortage in cybersecurity, in general,” said David Schwed, chief operating officer of blockchain security firm Halborn. “And then a subsection of that is this new and emerging technology where it requires a different type of thinking than traditional cybersecurity professionals.”

Blockchain projects present distinct challenges for security professionals. First and foremost, many are written in newer, less common coding languages ​​such as Solidity, which reduces the number of people who can audit the code. Unlike many other systems, which are designed to be closed in order to thwart attacks, the blockchain is public, meaning hackers have an open book for vulnerabilities.

The biggest hurdle in finding the right talent isn’t so much teaching people about blockchain as finding someone with the right mindset, Schwed says.

“I don’t mean it’s a different level of paranoia, but that’s really what’s required in this field,” Schwed said. “A transaction is immutable. Let’s go. This is the important element that they must understand. Given the nature of some attacks, security experts also need to understand how the technology works on the business side, he says.

Major cryptocurrency companies are taking a similar approach to finding talent. Nick Percoco, the chief security officer at digital asset exchange Kraken, says he is looking for candidates who have both a strong security background and a practical interest in blockchain.

Percoco notes that while Kraken uses external audits for legal reasons, having an in-house security team allows it to continuously test Kraken’s products for possible vulnerabilities. It also helps build a company-wide culture of security, which is especially important as criminal and domestic hackers increasingly prey on employees of digital currency companies.

“It’s more than systems, it’s more than policy, it’s more than software – it’s basically a mindset that everyone in the company is put into,” Percoco said. .

Both Schwed and Percoco pointed to bug bounty programs, in which independent security researchers report vulnerabilities for a reward, as another key avenue for finding new talent. Big companies like the NFT platform OpenSea and Solana organize their own hack-a-thons in addition to traditional audits.

While the industry waits for universities and traditional training programs to meet the needs of the blockchain industry, some security experts have taken a hands-on approach to nurturing new talent.

“There is the tragedy of the commons that happens with education and talent,” says Rajeev Gopalakrishna, a researcher who founded Secureum, an online learning community and boot camp for security experts. interested in blockchain security. “Everyone wants to hire talent. But who will train them or build the content?

Since 2021, hundreds of people have used Secureum’s online training program. Gopalakrishna says he knows about 20 students who have worked full-time at audit firms, though many have learned the skills to do more hobbyist work like bug bounty programs. Trail of Bits also offers an apprenticeship program for security experts interested in blockchain.

Human intervention is not the only answer. Experts also pointed to advances in automated tools that can help developers with more basic security features. But such tools will never fully replace human expertise, says Guido. His company found in a study that automated tools only detected about 50% of vulnerabilities in blockchain projects.

Of course, solving the lack of blockchain security skills will only help security in the industry to the extent that the growing number of crypto startups take advantage of it. The rapid development cycle of blockchain projects and the burgeoning nature of the industry means that there will always be developers who don’t prioritize security from the start.

“The overall space security posture was going up, and then the bull market happens, and it’s really going back to what it was four years ago,” said Mehdi Zerouali, co-founder of security firm Sigma. Prime. “And I think it’s just a matter of having so many people joining this space, potentially needing to go through the same mistakes and realizing the importance of safety.”

These errors accumulate. According to one estimate, blockchain projects lost over $600 million worth of cryptocurrency to hacks in the second quarter of 2022 alone. And some of the biggest losses in 2022, including the record 600 million dollars from Axie Infinity, were the result of traditional cyberattacks, not the exploitation of Web3 technology. More recently, persistent attacks by North Korean hackers on cryptocurrency firms have rocked the industry and raised concerns in the US national security community.

“It upped the ante. This made the consequences of even minor breakdowns much more serious,” Guido said. “And I just don’t think many companies are ready to operate in this type of environment where they have a dedicated focus group of attackers who will stop at nothing until they are successful.”

These risks will continue to grow as blockchain technology develops and becomes more complex.

“The average DeFi [decentralized finances] The project we would look at two years ago is nothing like the average DeFi project we would have now,” Zerouali said. “With innovation comes the question ‘How do I do it safely?’ It can be extremely difficult. So the more we progress, the more complexity we will face and the more risk we will have to manage. »