There's very few people in information security who haven't received the look when some security measure is going to cost something, whether it's pure capital or time. Sometimes it's the 'do we really need this?' look, other times it's 'well can't this wait until we actually have customers?'
Having been in information security in various capacities for a while, my skin itches a bit when I see this discourse pop up in web3. Many look upon web3 as the wild west, not having quite attained that arbitrary point of maturity to where its product can be intrinsically trusted. Some of crypto's PR woes stem from this, and unfortunate incidents when opportunism drove decisions more than responsibility did.
Ironically, the PR issue that plagues web3 has created space for some unhealthy attitudes. After FTX (and many other things), the general public associates crypto with many unfavourable words, 'scam' being one of them. Bloggers have created enough FUD around NFT's that a lot are willing to write any project off as a ponzi. In this kind of environment, it's tempting to view lesser security issues as just moving fast, breaking things.
Greenfield industries, startups, and other environments where speed is essential do require some reimagining of the kind of mindset that might be expected at Google or Salesforce. There often isn't time or resources for multiple levels of architecture review, steering committees, or formal verification audits. In terms of responsibility, Engineering is responsible to the company for shipping.
This should, however, not be the end of the security discussion. In my view, if you're going to reap the benefits of building in web3, you have some minimum level of responsibility to the rest of us. My initial impetus for writing this was driven by ChatGPT generating solidity vulnerabilities, but reading some commentary that 'web3 startups don't have time for security' is what really made me put fingers to keyboard here.
The all or nothing attitude really puzzles me. Yes, some of the more elaborate or less time-consuming security products cost money, but there are alternatives. Setting up CI/CD security pipelines is doable in a weekend, and there are low-cost auditors. If you hit up crypto twitter or Farcaster, you'd be very likely to find an outside set of eyes that will have a look at your code for free.
The dynamics in web2 are certainly different, especially with an established customer base and/or financial systems. If you break that kind of trust with relative normies, who are more concerned about their financial data being secure than some of the loftier aspirations of web3, you probably aren't getting it back. As a result, meticulous testing cycles, staging environments, and approval matrices slow things down.
Things are different in web3 and startup land in general, and even web3 security auditors will say that some do take worrying about security too far. It's always a tradeoff, and the most securely written solidity will end up never being used if your startup doesn't meet timelines or can't raise. These are nuances that bend and/or break traditional security models, and 'we don't have time for security' is the easy way around them.
There's always some minimum level of effort than can be put in to make things more secure than zero effort would result in. No one gets it perfect, Okta's woes over the last few years have certainly shown that's equally true for web2. Doing nothing, though, isn't good enough, as Gordon Ramsey might say.
There are also many ways of doing something. There is no end of Solidity content including security, which can be adapted for lunch and learns, if your startup engages in them. If you don't have a devops person / don't have the resources to hire one, you can post bounties for specific tasks. If you have social media talent and presence, you can probably content your way to having talented people red-team your contracts.
With all due respect to the incredible importance of speed and shipping in a space like web3: Yes, you do have time for security.
- Loading comments...