Published May 5, 2020
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
No matter what industry sector your business plays in, data security is critical to its survival. When it comes to security and blockchain: what you need to know is not always readily apparent. We understand that you want security solutions and you want them fast. So without further delay, here are seven quick tips on secure blockchain.
What is blockchain?
Before we dive into the tips in this article, let’s look into what blockchain actually is. Blockchain is known as the record-keeping technology behind the Bitcoin network. At its basic level, it’s a chain (public database) of blocks (digital information), and every block stores a unique code called a “hash” that allows you to identify it from other blocks. These hashes are cryptographic codes created by a special algorithm. Two identical transactions would have different unique codes and can thus be told apart.
Each new transaction is added at the “end” of the blockchain and every block is connected to the one before, making it very difficult to hack. Every block doesn’t only contain its own hash, but also the hash of the block before it. If you change something in one block, a new hash will be created, but the block before would still contain the old hash, so this one needs to be changed too, and so the hash of this block needs to be changed as well, and so forth for every block in the chain.
7 tips on secure blockchain
Security is situation critical. Blockchain represents a huge milestone in security protocols. It works well for businesses that require controlled access to data, accountability for audit trails, and transparency – like the financial sector and pharmaceutical supply chains. It is an evolving concept and that means each business has to figure out how to design the blockchain structure so that it best suits the business’ distinctive needs. Blockchain is preeminent today. Like any technology, however, being free from cyber threats and dangers is ephemeral. Nothing is guaranteed for tomorrow because cybercriminals live to figure out how to unlock any type of encryption. Cybercriminals have the best incentive to continue to work at deciphering codes and undoing secure blockchain: financial gain. The best businesses can do to try to postpone the eventual breakthrough is to adopt the following simple rules.
- Never put personally identifiable information in a blockchain. This is a security touchstone. Encryption may obscure that personal information at this juncture but it’s only a matter of time before a cyber hacker figures out how to crack the secret code. It also helps to have strong authentication procedures and mechanisms for cryptologic key vaults, those hosted management services that allow clients to encrypt keys and small secrets using hardware security modules (HSM). There are three types of cryptologic keys:
- a secret key – uses one key for both encryption and decryption
- public-key – uses one key for encryption and a separate key for decryption, and
- hash function – uses mathematical encryption (no keys) that the client cannot reverse.
- Do not store large files on the blockchain. Data stored on the blockchain travels to every device, every connection point, every computer on the blockchain’s network. Each of those points copies the data in the blockchain and stores a complete set of the data. That means increased costs for data storage and computation. Avoid such increases by storing a link to the data within the blockchain but storing the actual data in the cloud.
- Add permissions to the blockchain. To make your blockchain protocol private, add permissions to it. Private blockchain controls access to the embedded information (data storage, accessibility, and usage) and only allows specific people who need access to have it. Private blockchains are also known as consortium blockchains which means they have a controlled user group.
- Do your homework. Create policies that will underlie the blockchain structure for your business before you actually set up the blockchain structure. Set up the rules for:
- adding new users,
- adding new organizations,
- removing bad actors from accessibility,
- removing users and organizations no longer eligible for accessibility.
- Know the goals for the blockchain protocol. Ask the initial question as to whether your business even needs to use it to secure data. Determine whether the secure blockchain that you design will need audit capability. Plan its structure based on current business needs. You can always add other facets later.
- Blockchain changes how we test. Blockchain is a software application, so testing it begins with traditional software testing in the developmental stage. After completing traditional software testing, however, it requires more: expanded testing. All endpoints, all computers in the distribution queue are peers (equal in stature). There is no master node in control of operations.
- Additions to the blockchain require each peer to agree to the changes by consensus; therefore, testing must prove the accuracy and compliance with the consensus rules and confirm that all copies of the blockchain are in accord.
- Testing must also take smart contracts into account. A smart contract is a computer rule created to “digitally facilitate, verify, or enforce the negotiation or enforcement of a contract.” Smart contracts become part of the blockchain. In practical terms, that means the smart contract, like the rest of its data, cannot change even if a defect or error comes to light after the software deploys. That is why it is critical that testing finds the bugs before deployment into the real world. Otherwise, the only way to fix the issue is to deliver a new smart contract version. A new smart contract version may alter the data format which will result in a “fork” in the blockchain. That is a messy circumstance and one to avoid if at all possible.
- Testing must also take into consideration blockchain performance and flexibility.
- Testing should determine if the block sizes are large enough and what happens if a particular block exceeds the maximum block size. In addition, the blockchain itself will grow so tests need to determine whether the software can accommodate very long blockchains. Once developers set the testing parameters, they need to set up a test environment. The test environment may be in the real world or in a supported environment. No matter which method developers choose for testing, be prepared for the cost.
- Blockchain uses miners. Unlike other types of software, blockchain’s unique structure requires “miners” to confirm the accuracy of each new transaction and to document each transaction into the blockchain. Miners do this by solving difficult math problems using a cryptologic algorithm. When they prove the validity of the transaction, it’s called Proof-of-Work. Miners can receive transaction fees for conducting the validation work and showing the hours they spent on the Proof-of-Work.
To talk more about secure blockchain, or anything else security related, please contact us. Kiuwan leverages SAST and SCA analysis so developers operating in the Software Development Life Cycle (SDLC) can shield their applications from security risks using a scalable and lightning fast platform that seamlessly integrates within any DevOps environment.