Surprise, surprise, in a developer’s world, the big issue is security.
Contact me for learning paths, advice and real-world challenges by email at aitor.zaldua@draftdigital.xyz or in X as @azdraft_.
Everything must evolve. Ever since the dinosaurs roamed the earth, ecosystems have evolved and adapted to survive.
Well, it is time for the blockchain to evolve. Otherwise, it will not survive.
Over the past few months, I’ve had some experiences with blockchain companies, Defi and L2 chains, that have left me a bit perplexed, frustrated and confused at the same time.
First of all, let’s set the context: I come from a security background, not a development background. That is definitely a rarity in the ecosystem. The majority of new engineers in blockchain come from a Javascript development background. And it shows, it really shows.
Let’s move on the next context. Less than 10 years ago, blockchain didn’t exist. Pure and simple. A few developers decide to leave the comfort of their parents’ basement and decide to build something crazy. And it worked. Oh boy, it really worked.
But let’s go to the last context, let’s leave the past behind and come to the present.
It is still a developer’s world.
As I said, I was contacted via Linkedin about the possibility of joining some web3 related projects, my 20 years of security experience is enough for recruiters to offer me a job. But the experience with companies (not web3 security companies, but DeFi protocols, L2 chains, etc…) was more curious.
The first thing I had to do was a technical test. It was always really easy and the first indication that companies don’t currently have security researchers on their team. They usually create tests with simple and outdated vulnerabilities.
The interview is probably the most interesting part of any contact with web3 companies, as you have the opportunity to talk to different profiles of the ecosystem. And to check out the current state of security in the companies.
I have never been interviewed by a security expert at this stage. Never. Usually they are developers, co-founders or CTOs, but still developers. Sometimes Web2 DevOps.
And, obviously, they asked me questions about how good a developer I was, because, they don’t really know what a security engineer is. The main problem is that they don’t know that they don’t know what a security engineer is. That is the killer.
What a security engineer is
Security is 50% documentation and 50% testing. Pure and simple.
If you look at the major security frameworks such as CySA+, ISM or NIST, you will see that it is all just that. Documentation produced by developers and system administrators, and testing to see if the documentation is accurate and the processes it details are good enough to keep systems secure. The security engineer doesn’t need to know ‘how’, he needs to know ‘is it secure enough’. And he must continue to ask this question every day. That’s why we call the position a security researcher, not an auditor.
But what do we do now? Usually we get a code that has been developed for 2/3 years to analyse in 10/20 days. Or, as I described, companies are looking for developers to use it as security engineers.
And we are still surprised that every 15 days a protocol is hacked.
We have to change the mindset
It is time to stop thinking of ourselves as some kind of pioneers in a new land. We have been around for a while and it is time to organise, to create solid structures.
I wrote a few months ago that every organisation with more than 10 developers needs a security researcher, but I was wrong. One of the first engineers, from the very first day someone writes the first line of code, should be a security person. Looking, asking for documentation. Testing.
Companies need to use specialists. If they don’t know how to hire security engineers, they need to outsource the process to a consolidated security company, just as they do to audit the code. Collaboration is always key.
Conclusion
Everything has to evolve, and it is time that the way we deal with security evolved as well. And we need a big change because it is not working. Maybe it was okay for the time when blockchain was just a big prototype, but it’s not good enough for the traditional financial system.
Developers understand that they need to move from proof of work to proof of stake, right? Well, now it is time for the proof of security.
Are we ready?
