Askhat -


7 best practices for Web3 security risk mitigation

Tech builders and businesses evaluating decentralized technologies should keep these seven Web3 security best practices in mind to help mitigate traditional and novel cyber threats.

Web3 is a fast-growing, but hotly debated, tech movement. Web3 proponents widely reject the centralized control of Big Tech and coalesce around a vision for decentralization -- specifically, an internet that uses blockchain-based architectures to distribute power and grants end users greater control, stake and economic benefit.

Tech builders and businesses must take a proactive approach to security when evaluating Web3's potential. Blockchains and cryptocurrencies have been the subjects of growing security concerns, from traditional issues of social engineering, insider exploits and faulty implementations to an emerging class of Web3-native exploits across decentralized applications, exchanges and wallets.

Attacks in the blockchain space are often more damaging than traditional applications. These events are often irreversible and contingent on smart contracts, which, if exploited, cascade across the network rather than a single node.

Security leaders can help mitigate the risks by following these Web3 security best practices for risk mitigation.

1. Incorporate security-by-design principles

Traditional security design principles are just as essential for Web3 systems as any other. Builders must incorporate security-minded criteria into their designs, products and infrastructures. For example, developers should work to minimize attack surface areas, secure defaults and zero-trust frameworks, and ensure separate and minimal privileges. Technologies must come secondary to the principles that inform their designs.

2. Embrace different blockchain designs to apply security more strategically

Although security-by-design principles come first, organizations should also consider what type of blockchain they plan to use.

Public blockchain networks, such as Ethereum and Solana, are open and allow anyone to join. Users can also enjoy different degrees of anonymity depending on the application. A private, or permissioned, blockchain network, by contrast, requires users confirm not just their identity, but also membership and access privileges.

Different blockchains -- public or private -- have distinct complexities, so understanding one doesn't mean you understand all of them. An array of hybrid infrastructures, such as sidechains, multichains, cross-chains, federations, oracles and other distributed ledger components, inform other criteria, such as speed, efficiency and resilience -- all of which interface with the security team.

3. Be aware of Web3 market and trust dynamics

The Wild West of Web3 includes far more than technology; it also includes several legal, cultural and economic dynamics that designers must consider. When it comes to identity, for example, certain configurations or integrations could conflict with existing compliance regimes, such as Know Your Customer or GDPR.

Beyond identity, different jurisdictions have different regulations on crypto technologies. Plus, many Web3 entities are projects or decentralized autonomous organizations.

Also, consider the security implications of social engineering: How might Discord communities misconstrue or overhype the benefits of digital assets? How will the encoded financialization of crypto platforms incentivize bad actors?

4. Collaborate with industry on security resources and intelligence

Cyber-risk management programs benefit from collaborating with industry peers to increase the understanding and mitigation of emerging threats. In the context of Web3, some channels resemble traditional resources, such as open source platforms, like GitHub or OODA Loop's recently released Cryptocurrency Incident Database. After noticing a high number of cybersecurity incidents among Web3 projects, OODA Loop built the database to help security researchers and engineers see common cyber attack categories and root causes. Builders should also publish security guidance for developers on their platforms. Web3's development is relatively public, so other avenues for research include Reddit, Discord and Twitter.

5. Incorporate Web3 projects into security governance

Organizations should model, analyze and mitigate risks before and throughout the development process. Blockchain developers and security professionals must ask questions in advance, such as the following:

  • What are the highest impacted areas of code?
  • How could incident response protocols be affected?
  • How will vulnerabilities be reported?
  • How will users be supported to elevate risks?
  • How will user permissions be managed, and what kind of interoperability across wallets, chains, etc. should be accounted for?
  • Is the organization prepared for community-participant governance?
  • How would major changes or forking the chain be handled in the event of a breach?

Such questions are better addressed preemptively, rather than in the heat of an incident. The answers should align with the organization's cybersecurity governance program.

6. Apply attack prevention techniques

Evaluating information quality or data manipulation risks should be tied to decisions around what goes on-chain versus off-chain, as well as what information is required to validate transactions or mint ownership.

Address common threats, such as phishing, across both the technology's architecture and UX workflows. For instance, security teams should prompt users to install malicious link detection software to their browsers, require multifactor authentication and send regular reminders to avoid open Wi-Fi networks or make system updates.

Also, avoid risks unique to blockchain architectures, such as 51% or Sybil attacks, by avoiding proof-of-work consensus algorithms, monitoring mining pools and analyzing other nodes for suspicious behavior. Given the novel user responsibilities tied to blockchain keys and wallets, security should be included in user onboarding, communications and experience design.

7. Have contracts and code independently analyzed and audited

Despite the rapid pace of Web3's development, builders should evaluate and test their projects prior to and after launching new code and commits. Failing to do so can lead to breaches and massive losses, as insiders overlook common exploits, insider attack vectors, user privacy protections and other mistakes.

Organizations should also conduct routine audits, especially as startup developers may lack the security governance of a traditional company.

The good news is a new class of Web3-native security resources are emerging, including DeepReason, which has developed a technology for audit-level checks at each stage of development.

Security leaders should embrace this novel class of technologies. Many traditional security practices will apply, but distributed ledgers, crypto-assets, wallets and the broader financialization of digital interactions present several distinct security implications. While Web3 may seem irrelevant to enterprises, the underlying technologies represent enormous disruptive potential to businesses and their customers.

Next Steps

8 best practices for blockchain security

Web 2.0 vs. Web 3.0: How do they compare?

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing