We are proud to announce the creation of the Enterprise Blockchain Security Council (EBSec) and the release of the Enterprise Blockchain Security Specification (EBSS). EBSec is an alliance of companies with a shared interest in the secure adoption of distributed ledger technology in enterprise applications. EBSS, the first result of the collaboration, is a framework guiding companies in the secure design, deployment, and management of blockchain applications.
Distributed Ledger Security
Blockchains are protected by advanced cryptography thought to be unbreakable with current technology. This means, that in theory, digital assets stored on distributed ledgers should be extremely secure. Yet, cybersecurity incidents lead to asset theft on a constant basis. Hardly a week goes by without major incidents or new vulnerability disclosure. The apparent insecurity of the public blockchain space has started to affect the reputation of distributed ledger technology and severely hampers enterprise adoption. Companies and whole industries are unsure of how to make use of this promising technology for their corporate use cases.
The security problem we observe is due to a number of reasons:
- Paradigm shifts: Decentralized systems are different from traditional IT systems since they introduce new concepts. Asset security is now not a centralized concept anymore, in which data and other resources are locked in a black box server in a vault type scenario. Instead, assets are secured transparently by cryptographic protocols, user-managed cryptographic keys, and even by complex rules in smart contracts. This means that companies have to deal with new security paradigms that they might not be accustomed to, and lack best practice guidelines.
- Bad practices: Bad practices in information security are very prevalent in all systems. In transparent and decentralized systems that depend on private keys being secured and on smart contracts securing significant value, the impact is often worse. Systems often get away with badly written code or unsecured keys in a centralized backend simply because the bad practice is not visible to external users. However, insecure smart contracts on a public ledger are visible to all.
- Conventional information systems security: Distributed ledgers and smart contracts are only small parts of typical blockchain applications. Usually, there are a number of conventional software layers, including web interfaces, APIs, node software, and databases. In many incidents, the system is actually attacked through traditional software vulnerabilities that have nothing to do with blockchain technology whatsoever.
The Enterprise Blockchain Security Specification
The EBBS has been born out of an observed need for general security guidelines that enterprises can use to apply a minimum standard of security to their operation modes. The specification is not meant to replace existing security standards, such as ISO/IEC 27001:2013. Neither does it provide low-level security measures to provide secure code. Other recommendations already exist that cover specific technologies. Instead, EBSS focuses on general guidelines and operational policies that should be in place in a company that wishes to adopt distributed ledger technology.
The Enterprise Blockchain Security Council
EBSec is the name we are giving to the (currently) informal alliance of companies that have defined the EBSS and each contributes to blockchain security in their own way.
Currently, the following companies constitute EBSec:
Cryptonics is a distributed ledger and cryptography consulting firm that focuses on auditing full-stack blockchain applications and develop secure blockchain architectures.
Solidified is a smart contract auditing firm and bug bounty platform specializing in first-class Ethereum-focused smart contract audits.
S2 Grupo is a large cybersecurity service provider, focusing on managed cybersecurity, consulting, and secure development.
PARSIQ is a leading blockchain analytics company, specializing in real-time monitoring of blockchain-deployed digital assets.
We do not want EBSS and other future specifications to solely depend on our own experience and judgment. Contributions to specifications are welcome through standard GitHub processes, such as pull requests and issues.