I don’t care if you blockchain
IT people that don’t believe in blockchain can still work with it (and probably should).
Earlier this month, a colleague and I presented at EY’s 2018 Product Security Summit about auditing Ethereum contracts.
Note: this article does not reflect EY’s views in any way. Views are strictly my own.
Before we got into the Powerpoint, I put out a verbal disclaimer… Neither of us were/are blockchain “evangelists”. We wouldn’t tell anyone to build something with blockchain. But if you came to us for help securing that software, we’d certainly do so.
There’s a lot of risk that comes with deploying Ethereum contracts. There are no secrets (though EY is working to change that). Anyone can call your program. There are language-level pitfalls like unsigned, fixed-width integers and functions that are public by default. Etcetera etcetera.
Think of it alongside PHP and Drupal, though. Would I recommend anyone write a new app with either one? Nope — high risk profile given multiple language-level hacks.
Still, clients bring this stuff to their security consultants all the time. As the people on the receiving end, it’s our job to make the client aware of risks and help manage them as best we can. Not to criticize that initial development decision, weighing in without being asked. Not to say “pack up your shit and go home, you’re running Drupal!”
Anything going on some public blockchain computer (i.e. Ethereum) is just the same way.
Being skeptical of the tech is great. A pragmatic view lends itself to quality security assessment.
In short — I don’t care if you blockchain, BUIDL, whatever-you-want-to-call-it. But I’ll do my best to help lock the software down you if you do.
Randy Gingeleski - GitHub - gingeleski.com - LinkedIn