Application security in cryptocurrency ecosystem

You can often hear from me and my colleagues security engineers about the defense in depth approach to protecting the user data. Does this mean putting as many tools and security controls in your code or system as the whole market suggests? By no means. When speaking about defence in depth we mean that carefully chosen tools, controls, security policies, etc. must be interlinked and work together for the common goal. 

The number of companies that switch from quick security fixes to building defence in depth as a key element of their security strategy is constantly growing, as well as the number of security-aware top managers and developers. If you’re on the way to it, you’re in good company. When this kind of approach follows the industry best practices, it gives a heartsease literally to all sides around the project, including end-users.

Let’s have a look at some examples without giving the names, say, in the modern and thrilling cryptocurrency industry. 

A huge chart-topping blockchain foundation promotes its non-custodial cryptocurrency wallets that work across platforms: as a web extension and mobile applications. With the incredible growth of popularity and user base, the team behind the wallet starts searching for an advanced level of protection and encryption for the wallet’s data. 

A non-custodial wallet application is fully responsible for deriving and storing wallet’s mnemonics and private keys—all info that the user needs to access to their crypto funds—and signing transactions on behalf of the user.

Being a fintech application, but not being baked by anti-abuse backend or customer support teams, cryptocurrency wallets require deep security protections and educating users on how to resist phishing and misuse.

So, how to achieve defence in depth protection for the users’ data?

First, risk assessment and threat modelling for the applications itself and its communication with a blockchain. Threat modelling opens a way to detect the most fragile application flows, understand what blockchain-wide threats affect their users, what security controls are broken, missing or can be enhanced. Then, keeping the developed classification in mind, the team can set priorities in their security work.

A deep cryptography audit of the wallet, done by security and cryptography engineers, is the next step that set the stage for various modernisations in cryptographic core and dozens of application security improvements. Besides designed security controls and typical appsec issues, this includes protection against phishing as one of the primary attack vectors, improvements in business logic and UX, hardening the user flow with repeated authentication before any sensitive action, getting users to know about wallets usage best practices, etc. As you can see, the approach works much wider than just ‘adding encryption'.

The development process also gains improvements that form a base for the Secure Software Development Life Cycle (SSDLC) by paying attention to security at every stage of the application development timeline. Dependencies management, integrating SAST, dependency and vulnerability scanning tools in the CI/CD pipeline, creating a security roadmap—all of these work to make security not a late guest who brought lots of critics to a party, but a process owner that cares about all the actors.

As a result, cryptocurrency wallet security becomes more than “fixing several bugs” thing, it becomes a well-rounded defense system that works across every platform the product exists.

In such a way, defence in depth approach leads the teams to being resilient and strong against ever hardening security challenges. Should I add that, in times of uncertainty, this ataraxis becomes immensely valuable?