Defense | FAQ

General Auditing Questions

Security auditing is a unique skill that’s distinct from software engineering — although most auditors have an engineering background. However, a good security auditor looks at a system like a potential attacker would, checking every part thoroughly and from the perspective of an adversary. They’re not just thinking like the engineers who built the system, but also looking for ways it might be broken into or compromised. Because they work on a large number of projects and across a variety of technologies, they’re better equipped at finding security problems than the teams who build the systems. Unlike engineering teams who have to focus on many things at once (e.g. system performance, features, user experience, etc.), auditors focus primarily on security.Moreover, it’s imperative to hire an independent team to do security audits. They can check the system without any bias, identify potential security vulnerabilities, and provide a trustworthy report on the system’s security.

A security vulnerability is an error in the design or implementation of a system that could permit a bad actor to cause harm to, or manipulate, the system, such that it undermines the system and its users. Some examples of security vulnerabilities include:

Incorrect or insufficiently secure use of cryptography.
Leakage of user-identifying, sensitive, or secret data.
Unprotected attack surfaces, lack of safeguards or protective measures.
Implementation errors.
Lack of adherence to best practice.
Incorrect use of dependency libraries or the use of vulnerable dependency libraries.
Inconsistencies between the system design documentation and the coded implementation.

The potential impacts of security vulnerabilities are plenty. They include wasting system resources, denial of service attacks (when a system is overwhelmed and it is made unavailable to its intended users), exposure of sensitive and secret user data, loss of system control, and the complete loss of user and system assets.

Most security audits should be conducted in two phases.First, a system’s security should be checked in the planning phase, when the system is still being designed. Incorporating a security perspective in a system’s design can help prevent security issues down the line, which are often more costly and time consuming to resolve once the implementation has been completed. Again, this makes sense when looking at a building analogy. It’s better to build strong foundation from the start, then have to reconstruct at a later date.Second, once the system or its important components are built, another audit should be conducted of the implementation. For planning purposes, the team developing the system should seek to audit parts of the code where an exploit could be particularly damaging (i.e. security-critical components) as soon as they are built and before the system has been released to the public. This reduces the likelihood of security issues appearing between the time an audit takes place and when the system goes live.

The security auditing space is small, comprising of a small number of expert teams. In order to get a security audit, it’s important to identify a reputable team with a demonstrated track record that has the expertise to audit a particular project language and technology.In addition to subject matter expertise, budget and timeline are key considerations: the audit should be within the team’s allocated security budget and the auditing team needs to be available to carry out the audit at the desired time.For optimal experience, it’s good practice to reach out to security auditing teams well in advance of a planned audit to book a time that lines up with a teams development and launch roadmap. Auditing companies may have significant lead times due to high demand compared to the limited supply of top tier security auditors. By contacting those auditing teams early, projects can define a scope within budget and schedule an audit that makes sense for the project and its milestones.

Defense Auditing Questions

At Defense, our first priority is to help projects improve their security and to uphold rigorous security standards for decentralized technologies across the crypto and web3 space. We encourage all teams to conduct due diligence and compare auditing companies, in addition to diversifying their auditors, including auditing companies, individual white hats, and contest platforms. The auditors you choose should have expertise and a demonstrable track record reviewing the technology and language components you want reviewed, in addition to being compatible in terms of pricing and availability.Defense consists of a dedicated team of expert security auditors and business specialists who have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, dApps, and more. We have experience auditing projects in a number of languages including Solidity, Typescript/JavaScript, Rust, Go, Clarity, C/C++, CosmWasm, and more.We serve multiple ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR, and more.To learn more about our expertise, read our blogpost, meet our team, or schedule a call.

Auditing Process Documentation

In the world of security audits, careful preparation is not just a preliminary step — it’s a strategic imperative that pays dividends throughout the audit process and beyond.Beyond meeting the immediate objectives of the audit, careful preparation sets the stage for the continuous implementation of development best practices, efficiency, and security.A proactive approach to audit readiness empowers both security audit teams and the development teams soliciting their services. In particular, effective preparation streamlines the efforts of security audit teams, while reinforcing and requiring best practices from development teams.By focusing on the following key aspects of audit preparedness, projects can optimize their time and resources, ensuring maximum return on their investment in a security audit.1. Develop and Maintain Up-to-Date Project Documentation

Code Comments: Thorough code documentation, encompassing every function and entry point, provides auditors with necessary insight and a roadmap for understanding the intended functionality of each component.
Design Specification: Detailed information about the system’s design and requirements helps auditors verify correct code implementation, adherence to specifications, and prevents assumptions that may lead to overlooked security vulnerabilities.
Developer Documentation: A comprehensive overview of the system, including architectural diagrams and developer onboarding guides, aids auditing teams in assessing in-scope components and understanding the system’s expected behavior.
User Documentation: Comprehensive user documentation ensures secure and intended user interactions, guiding auditors through the system.

2. Simplify Code and Minimize Unnecessary ComplexityComplexity is the enemy of both security and understanding. By minimizing unnecessary intricacies and implementing only essential features, projects reduce the potential attack surface of their codebase, and render themselves both stronger and easier to maintain.3. Implement Test Coverage and Test-Driven DevelopmentA robust test suite, covering success and failure cases, identifies potential edge cases, guards against errors and bugs, and mitigates vulnerabilities. Providing clear instructions for running tests via a single command ensures seamless integration into the audit process.4. Manage and Update DependenciesUtilizing audited and well-maintained dependencies reduces the attack surface. Outdated or unmaintained dependencies pose security risks and should be addressed prior to a security audit.Dependency management tools can be platform/language-specific. Many languages come with their own dependency auditing tools, such as NPM audit for JavaScript and Rust cargo-audit for Rust. Popular and recommended tools that work on multiple languages include OWASP dependency-check and “Snyk Open Source”.Although these tools are beneficial, it’s important to note that there is no tool that can completely eliminate all supply-chain security threats. Tools also have their limitations and flaws so dependency management requires a recurring manual review of dependencies as part of the security due diligence process.5. Identify a Stable Audit Target in the Development RoadmapConducting a security audit at a milestone where the system version is complete and no major changes are expected ensures a focused examination. The audit should concentrate on a single stable Git commit of the coded implementation.6. Pre-Audit ChecklistIn order to conduct a robust and comprehensive security audit, development teams should be prepared to provide auditing teams with all the items on the below checklist, at least one week prior to the scheduled audit start date:

A URL of the repository containing the source code
The release branch and commit hash to be reviewed
An explicit list of files in scope and out of scope for the security audit
Robust and comprehensive documentation describing the intended functionality of the system

Any additional information, including primary areas of concern and key risks, previous audit reports, clear instructions on setting up the system and running tests, a test coverage report, and the output generated by running the test suite will aid and maximize the auditing team’s efforts.Finally, it’s important to remember that changes to the audit target after the beginning of the audit are prohibited as they hinder the team’s ability to conduct a comprehensive review.By adhering to this comprehensive guide, projects set the stage for a successful security audit and lay the foundations for enduring security and development excellence!

In every audit we conduct, we follow the Defense security audit approach. This process has been carefully designed to enhance the security and robustness of the target project, while fostering clear communication and collaboration between Defense and the customer throughout the security audit lifecycle.While each audit is as unique as the project being audited, the steps laid out below are integral to the Defense approach.Pre-Audit Preparations and Readiness ValidationCustomer preparedness optimizes a security audit by helping the audit team to onboard efficiently and effectively. To ensure adequate audit preparation, Defense will collaborate closely with each customer to ensure and verify the target project is in a state of readiness to undergo a security audit. This includes a thorough assessment of the following:

Code: the codebase being audited is in a state of completion, implemented in accordance with best practice for the specific programming language.
Documentation: the code comments are comprehensive and up-to-date and that project documentation (e.g. architectural diagram, design documentation or specifications, developer documentation, and user documentation) is sufficient.
Tests: the test coverage is comprehensive, with unit and integration tests to help catch bugs and implementation errors.

Audit Setup and OnboardingTo ensure a smooth transition into the audit, Defense will initiate the audit process by:

Setting up a project kick-off call that includes the customer and the audit team.
Setting up dedicated repositories for the duration of the audit.
Establishing a dedicated communication channel with the customer.

Comprehensive Manual Security AuditOnce these preliminaries are complete, Defense will execute a comprehensive manual security audit in accordance with the Defense security audit approach, complemented by the utilization of pertinent security tooling, as needed.During the audit, the audit team may ask questions in the dedicated communication channel. Additionally, Defense may request additional meetings as needed to learn more about the audit target.Audit Report Generation and DeliveryFollowing the manual security audit, Defense will compile a comprehensive audit report. This report will contain an exhaustive breakdown of findings, pinpointing vulnerabilities and weaknesses, and will include a remediation plan. Defense will also schedule a delivery call to discuss the findings in-depth, upon customer request.Verification and Validation (Optional)The verification process confirms that any security concerns raised in the audit have been satisfactorily resolved.Once a customer who opts for a verification process has taken proactive steps to implement the remediations recommended in the audit report, Defense will revisit the issues identified to assess the extent to which the implemented remediations effectively mitigate the previously identified vulnerabilities.Defense will then prepare and deliver an updated audit report. This updated report will include comprehensive details on the remediation actions taken and provide an updated status on each of the previously identified issues, ensuring transparency and completeness in the audit process.

Defense provides rigorous and thorough system security audits that are coherent and consistent in their approach, while offering our security auditors the flexibility required to meet the needs of each individual audit.The core of our approach is identifying security vulnerabilities through exhaustive manual code review, during which we read every line of code in the security audit scope.Our approach to each audit is specifically tailored to the specifications and characteristics of the system in scope, in addition to the needs of the customer. Every audit, however, includes the following objectives: all of which are essential to maximizing the effectiveness of the security audit for the benefit of the customer, the users, and the community:Attack Tree Threat Modeling: We create an attack tree to determine an appropriate threat and trust model for the system or component being audited. This helps us to define system inputs and outputs and to better define and clarify the scope and areas of concern for the security audit. What we learn from creating an attack tree helps us to determine a roadmap with specific milestones for the audit.Security by Design: We conduct a thorough design review to confirm adherence to decentralized system design best practices, and the absence of common design issues that could result in security vulnerabilities.Secure Implementation: We conduct an in-depth examination and manual review of the project’s source code to assess compliance with best practices and adherence to design specifications, as well as to identify security vulnerabilities and code quality issues.Use of Dependencies: We review third-party libraries, dependencies, and APIs used in the project to identify potential vulnerabilities introduced by external code. We check adherence to security best practice for deployment and CI-CD (continuous integration and continuous delivery) where appropriate.Tests: Secure implementation relies upon the appropriate use of tests such as unit and integration tests, fuzzing, property-based tests, and formal verification. We evaluate the use of tests utilizing both manual and automated testing tools, as needed, to identify common and edge case vulnerabilities.Project Documentation: We carefully review project documentation, including design, architecture, and code comments, to understand the intended functionality and potential vulnerabilities. We assess code comments and project documentation correctness and adherence to best practice.

Duration & Payment Information

Questions About Detected Vulnerabilities

Public-Facing Information

Responsible disclosure is a security vulnerability disclosure model where the details of a vulnerability are disclosed to the public only after the entity responsible for the system has been given a sufficient amount of time to patch or remedy the issue. This model aims to balance the public's need to be informed of security vulnerabilities with the need to prevent adversaries from exploiting those vulnerabilities before they can be fixed.At Defense, we support the use of responsible disclosure as a last resort. We stress that we will only resort to responsible disclosure after giving the customer ample time and guidance to resolve these issues before going public. Before proceeding with a responsible disclosure, we will inform the client of our intention to do so, giving them sufficient opportunity to rectify the issues or to inform users about potential risks themselves.This policy is part of Defense's broader commitment to enhancing security transparency within the crypto and web3 sectors. We are dedicated to assisting teams in developing secure, innovative systems that not only build broad user trust but also promote the widespread adoption of decentralized technologies.You can read more about our reasons for and commitment to Responsible Disclosure in our Medium post.

faq

Collaborate With Us & Learn More