Hashing It Out
Hashing It Out

Episode 111 · 2 months ago

Hashing It Out - Secureum - Rajeev and Top Performers of Epoch 0

ABOUT THIS EPISODE

Today Corey talks with Rajeev Gopalakrishna, founder of Secureum. Secureum is a premiere bootcamp for Web3 security auditors. We're going to dive into the problem with finding quality talent in the security space and how he's attempting to fix it. We are also joined by 4 of the top performers in the first iteration of the program to hear about their experience and what their plans are now.

Hashing it Out is also pleased to have provided a reward to these folks of $1337 each for their accomplishments.

Come listen and enjoy learning about the Web3 security ecosystem and how you can join it and find fulfilling work.

Links:

- Website: https://secureum.xyz

- Twitter: https://twitter.com/TheSecureum

- Blog: https://secureum.substack.com/

Welcome to hashing it out, a podcast where we talked to the tech innovators behind blocked in infrastructure and decentralized networks. We dive into the weeds to get at why and how people build this technology the problems they face along the way. Come listen and learn from the best in the business so you can join their ranks. Welcome back to hashing it out. It's always I'm your host, Dr Corey Petty. Today we have a little law interesting episode where we are going to talk to regive from securium. Allow them to interest yourself in a moment. But also as a part of securium smart Craft Track Smart Contract Auditing Boot camp, he's recently finished up the first epoch and we wanted to bring on some of the top participants of Epog zero to talk about their experience and what they plan to do. So they also have Hadrian and David from the EPOG zero intitially another one if he joins US hip midway through. But to start us off through the normal thing, regieve, tell us about yourself and a little bit about securium. Should thanks coding for having this here from security. Um. So yes, I'm not ging you stock didn't security, but secureium has a bit of an interesting context, like the dating project. It's talked it about. I'll see able to use it actually exactly what I as a newsletter, a weekend use letter while I was working with Corey at status and that evolved into the boot camp that we won't be talking about in this podcast. So so yeah. As for myself, so I've been doing different aspects of security, software, security are des ability for a long time now. have been working with block chain, specifically theorium, for the last seven years and smart contract security made absolute sense, just combining my language security background with the theium smart contracts. So yeah, so that that was how I got into smart contract security and really got to dive deep into it during my stint with the trade of pits, where I worked with the Jocelyn to add a lot of support to the slither to the static annalysers too, for the Smart Smart Contract Sensibility. So that's how I got into smart contract security and securitium. Like cody said, we had we had a good boss your boot can last year, second half of last year, and which is what we be talking about. So thanks to David and Atree and then hopefully go who the job. So we have fun in real time people. But but yeah, that me and lot of a lot of things. Time for security. David. You want to give us a quick construction? Sure. So, um so my background and the software engineer I used. I actually started in Crypto less than than a year ago, about less jewel in last July, when FCC happened in Paris and I was I never worked in security, but I was always interested in security, like in the web to space already and coming into web free I thought it was really interesting in and when I saw the opportunity that rejive talked about, like about the security and but boot camp, I jumped on it right away and and I loved it a tree and I'm glad to be here. Awesome. Adrian. Yeah, I've been in the crypto space where longer than dive is. It's been almost five years now. I joined during the end of my PhD in two thousand and seventeen, during the old ICO era, and there's a lot of demand bags then...

...and it felt like a very interesting character choice to go into into solidity and web development and and I hadd the prefect opportunity to do that. Many years later. Now I'm a solidity developer at open exempline, which is what you were known from in the space, both for all its but but also for open source mortrom track, which is what I work on. And and when I saw the securitymitiative for for the boot camp, it felt more like a didn't feel like some thing I really need in terms of carrier choices. But it was a very interesting challenge for me to pursue, hopefully learning addition them, things about solidity and and I really and really enjoyed it. Enjoy to the quiz home, you see, and may have not taken it as seriously as other people because I was very much occupied by other other activity, but it's always been very interesting my Sundays when I heay. This week I'm going to do the QUAES and and test myself. How good am I? That's interesting. You come from two very different perspectives. I'm curious to see, like your experience there regy. Before you get into that, like tell us about the process of creating the boot camp, because I know that you wanted to make it a level of give it difficulty that was higher than when, than what I'm currently aware of today, to really make people spend a significant amount of time during a boot camp understanding the material special if they're coming in more fresh. Like David, he talked about the process of trying to make a curriculum like that that's, you think is fair but also accessible and gets people to the required threshold of knowledge to be dangerous and solidity. Yeah, I think. I think it would refer to say that security the direction of the would can. I mean it was. It was really an experiment to start it right, and the origin may be sort of giving the context for that. The origin for real the motivation for the good camp sort of came about when could even you and I were mentoring the gitcoin kernel security track, which was much broader. I mean have fantastic people and that's when I realize, I mean I obviously worked on spot contact security as part of slither, and then just seeing the people, different people from different contexts working on so many projects, everything really happening on Saluity, that she is bad at that time. So it looked like there was a lot of need for not just sality expertise, but then, coming in from our security background, obviously securities a huge aspect. I'm sure we talk more about that. It looked like everyone needed to learn both the terms as well as a security who wants to get into security auditing or maybe just brought the security or smart Parker, right. So there was a huge need, both from a content and a structure perspective. We had, we still have, fantastic content from all the various audit forms, right, and we open Semplin, trail of bits, diligence, sigma prime, what have you, right. So, I mean they've been sort of leading the they be the torch bearers in the space, right in the smart contact security space. But what I saw was that we needed a more structured approach and just curating all the content and making it accessible, in a way accessible as well as sort of being open to anyone. David, who still from a software background, but probably you security background, and maybe the more experienced people like hate we had, who have spent a lot of time in crypto. So to keep everyone engaged, we welcoming to everyone. I mean that was really my motivation. So so, yeah, so...

...that that was out of the motivation and then somebody suggested why not apply for a for a grant to the ther foundation, so I did, and then we also got three fantastic partners and pail a bits diligence, consersust diligence and sit wond try, all three alding firms. All we're very supportive. So we all came together and and that was really the origin. And in terms of the structure was I can get into, you know, as many details as we want, but it was six month effort, three months of really putting all the content together and three months of that Shual boot camp. So, like you said, it was definitely a challenge trying to squeeze everything right. We had everyone look at theium for just one week, celerity one hundred and one for one week and se reality two one. A lot of the open center and stuff. Everything compressed in one week before we went into security. So we really need it all that. So so yeah, I mean that was how we wat going. Happy to drive into more details. I'm used to know how David and Adrian, you know, felt about really dealing with all that information in the six weeks. Again, they pets they had. Should I go? Should they say something? Yeah, actually, your chance to tell them if you stuck. Great. Actually, you know, it was very good and there was, as there was so much information and I can. I we could feel like we could see that you put so much work into it. But and so, as I said, as a kind of beginner, I was a bit overwhelmed, like there was so much information. And on top of that, leg every time I was going one way and researching something, like I would, of course, they go down like a kid, finding new things to read and to look into and like new things that I needed to understand, and so I never stopped, like Alder Learned Phase I had. And on top of that, like I didn't say it, actually I'm working full time at on a protocol like that. We launched a few months ago. So every every free time that I had, I was working on the boot can, basically on security. But yeah, I earns so much stuff. It's it's it was a it was amazing and in it's a it's great to see that Adrian, who has so much experience, even to the wood camp, and I'm sure like hear your confirm that on that, but I'm sure you are along the some things to yeah, my idea was very different because, I mean, there are a lot of learning materials for solidity and everybody is always asking me where should I go so I need to check what exists to know what I should advise and at first I was going to go into secure and seeing, like hey, maybe I can just figuring that, like just take the c and the two things that there is a lot of material because it's both written text and and youtube videos, for so, depending on what people are more attracted to in terms of kinds of material, I'm sure they can find something that suits them. My way of approaching that, as I said on Monday, I tried on on sorry, on Sunday. I tried to speeding that and I give myself for an hour to do these things that some people might have spent ten or twenteen hours just for him. So I was just like trying to read as fast as possible soudent document and take the quiz and my my guests at initially was that I would be able to take the quiz with out even reading material, and that was not true because there are always like very very interesting points and very fancy points that that were very interesting. But for the even even point to view and when the when it's moved into like solidity, it show...

...case a lot of opens uplins code. So that I was very very familiar with, obviously, but it's also so case older pieces of code that are not opened up in and it was very delightful for me to see what other practice are in the space and the end of the secure and wood can prede was mostly about tooling. We told about talked about s leader, but all of those sular three, and this was also very interesting for me to have this view because, no, it's duding that I try to include in my day to day operation, like we added support for automatics. Leader tests in opens up in recently to us. Not really related, but it happened really at the same time. So that that was interesting. And I last thing it I won't say it's much. What's very interesting is that as well. Just say that it took them months to prepare the material and then publish that and between the actual book and and the preparation, like the protocol did change, like we had fifteen, fifty nine happening and things like that. So it was also very interesting, like from someone that is actively following all this evolution of the protocol, to come in on the discournce. They all, by the way, these questions are assuming its syrium like two months ago and and and let's discuss what's changed since. It was very interesting discussions. That is terecting the current. That's it. Something that I've people voice asked because I come from from like a background of academia and sorts regieve, and so throughout the years that I've been in here, people say like, Oh, how do I do this at like a college level, like what courses do I take to learn? So they development or smart contract development and answers you don't because, because it's changing so rapidly, I would say the best boot camp that I'm aware of for combining the requisite knowledge to start saying your proficient to these things is securium, and it's a boot camp and you just explain the concept of the underlying protocol changing during the process of the first one. So like building evergreen material is very difficult to this industry and I may take a while for that to happen. And even for like an experienced person as yourself coming in and saying you learn things. I think it's valuable, but I'm like, what's the WHO's this program for, and who is it not for? Because, like I kind of want people, I always push people to say where are I going to learn smart contract security because, like you, Adrian, I've gone through way too many courses and I speed run them to make sure, like to understand the quality of them and so that I can reasonably say this is a good program go to this or this is where you come from. Maybe should try this one out. This is maybe if you're into this type of material, this is a good one, or this is this is garbage. Don't try that. And I only basically say secure Um at this point because it's the one that I know is going to keep up with the material and it has the right people in it to be able to do that. But it's hard. So who is it not for? I us, any of you, take that you are not willing to spend the time and their energy for him, that it's hard, like you have to be dedicated it. I would say. It's like adding an additional topic to your masters if we like. You have maybe five, six, seven courses and this is as one that you're going to do on top. Yeah, I mean it was for good or for bad. I think I I wanted to take a bread first approach because there's just so much to LARN. Right. I mean, if you who's it not for I guess simple answer would be if you're interested in theterium, if you're interesting in security and it is off, that's still a very white net because, I mean security was really security, because cuity, right, and is it God evolved? Hopefully, yes, it's. It got to catch up with everything. The one thousand five hundred and fifty nine and lucky and said the upcoming much solid.

He is changing so fast as we speak. Open settline has changing, right, I mean their libraries are getting more and more or maybe, put a quote here, code is getting more optimal. So it's never coally going to be the same, right. So keeping up and staying evergreen, as you said, could it's got to be hard. But in terms of WHO's it for guests from you in those perspective, I really wanted it to be bread first, as in for people who are new to I mean we had, I think, some participants who weren't even from computer science, right. They were people who just very interested in the concept of security and how does it work, maybe from our program managing perspective, from a very different time, right. So obviously the it's a much steeper learning curve for such people, but the intent was really to keep it open to them as well, and open not just from a difficulty of the content but from keeping it making it free and access with everyone. So that's what the Y of grant and the sponsor partners and able security to because to keep it free. So anyone, I mean all this content is out there. As we know. It has to be updated, but it's all open. People get look at it and in the current version of the boot camp there is no fixed structure. So you don't really have to sign up to be part of the BOOT can because it's always funny. So people can learn, they can join any time at by joining I mean just joined. The discard security makes us really on the discards. They join in whenever they're ready to set themselves. Take a quiz, the commune races, they register, get a code, take the race. People who are perform the repelling the race and invited to care for different protocols or participate to other more advanced learning opportunities that we are doing with stat spear bet any of the other teams of distance. So that's I had. Then again, it's open to part time people would in this part time nights and weekends, like David People like Hadrian. I don't know. I don't know how Adrian I can understand rights looking at this for like five years and he said he didn't really spend too much time. But nevertheless he wasn't the top, and we should clarify that. The people were hated and David. They were the top for participants across. What was the up? I think one, twenty eight. Now it was like Fau was more than that. Yeah, so we started with six fifty people. Thousand plus people registering, but six fifty people took the first quiz and then about to fifty six people finished all the eight quizzines, one because empy week. And out of those two fifty six people, you know, Adrian and David and two others who want someone else. So they were in the top four. Right. So it's not just about how well they busted. The topics are whether they did those quises, but also their persistence and dedication. So those to you that can grabs that. So now it's wasn't an easy fee. Even it may be an easy, more easy for agering, but I had heard quite a few people and different communities that I didn't talk about the difficulty of the quizzes and the amount of like not realizing that it takes a lot, a lot of time to, if you wanted to go through all the material to get to the material, and I think that's a lot something a lot of people aren't necessarily accustomed to, especially when it's on like the first epoch was, or the pod zero was on like a schedule every week, and so you were expected to get through all the materials in order to answer the quiz and the week, which requires a number of hours, and that's something that a lot of people aren' accustomed to. Its like when I did my experience with previous courses, whether it be like Corsera or like mighty courses or whatever,...

...online, it's I can kind of run through it, all the material and then like a Indian hour and then take the quiz. For this was like no, you're going to go a little longer, which is more kin to, like you said, an addition to a master's course, and so I found that an interesting David, did you, I go, was your experience starting to learn the material from like software development and then adjusting yourself to the amount of time required to get to get the quizzes done appropriately? Yeah, so actually, I think it was a good thing to have like those deadlines and this timing. If it wasn't for that, like if we didn't have to finish the quiz by next week, like it was every Sunday we had to take the quiz, I would have probably given up, like I wouldn't have finished it. I'm not sure. But yeah, I think it was good, like it's I had like a deadline in mind, like every week and by Sunday I needed to finish all the material and make sure I understood it and take the quiz, and I liked it. And to add them to what regimes were saying before and actually what you were just saying now, like that you took some coursera classes. And what's really good, I think what really makes the secure and boot camp more into also more interesting, AC on top of the material and what makes it more interesting than just a regular courser a class is also the discord, like what you're saying regime, like the fact that it's fully open, like it's awesome and you know that you have like a full community like that can help you if you don't understand anything than if you if something that you don't understand you can just go to the discord and ask the question and some people are going to answer you that. The community on the discord is really nice. Actually, you got you got a fantast except of mentors, court. He's one of the mentors. We have Martin Holtswend Day from a TVM foundation, Samson, you have really I don't belong in the ranks of some of those some of these people. That's that's I think that's that's a nice worded to. We have people that this is really the prommission less open aspect that I love, people coming from so many different perspectives. I think core is I think it's not take enough credit. But KORE has worked at status. Some man in different roles. You know, you should check out was mentoring really started the kernal security track coming he has a theme of security team at status and comes in with very maybe not as deep as some of the others in smart contract security, but I think that's the point, right. I mean security as such. If you look bad has been around as much. CRYPTOGRAPHY has been around for centuries, but if you look at computer security, of software security, it's been around for forty fifteen years. Right. I mean several decais ever since the main friens. So in I mean that I don't think that aspect is much appreciated in the blockchain space, where you want to see everything from a very new pairifies new set of eyes. But this is some fundamental security principles that I mean if you look at access control, everything that, we may talk about agnants and bodifiers and governance and tokens and all that stuff, but fundamentally these are different of knowledges and different primitives, right, that have their roots in basics of confidential the integraty availability that have been around for ever, right, so being able. So so, yeah, I mean that that is you know, Corey definitely sees that part and they have different sets of mentors. Be Samson, who looks at it from you know, from a very light...

...had prospect there, I mean the nots and boys, yeah, some of you, to the port class, and then we have any of those this set. So I think that does that is really the community that that security could become. And and yeah, speaking of which, I mean this is something that we talked about early on when you were forming the ideas of secure Um and the and the curriculum for these three bug zero and was was like something that Hadrian ad mentions like. This is incredibly broad like and you would wanted to go breath first, but bread first in solidity smart contracts. And what you've alluded to is that the concept of security in web three is massively larger than just smart contracts themselves, whether it be like organizational security tooling. Yeah, sure, but we can talk about monitoring, which doesn't quite come into this. There's a lot of other aspects you could think about when think, when discussing security in this ecosystem and what we, but you cover so far in Securitium is making sure people can be adept at handling solidity, smart contracts and the available tooling around gaining confidence and security of the code right and like how it how he known, compiles and goes down to evm and but that's focused on smart contracts and cells. Do you plan to stay there? And because that's you could there's a plenty of home to just stay there, develop it and be successful forever and and in the thought process of moving to a larger breadth, if you will, or having swim lanes dedicated to different types of security is a lot of work. What are your plans there? Yeah, I think, like I said, I mean there's a lot to be covered, but three in many ways is, if you want to simplify it, right, if we have smart contracts for soft chain stock, right, plus all the other upset there's a gops that maybe be inherited from the bad two world. So all those are there. But I think for now in security was really focused on security of the TA and the biggest challenge is in smart contract security. Right. I mean, yes, we do have either. It's all part of part of the puzzle, because smart contracts get broken, not just because of us in the contracts but because, you know, somebody lost their dem keys and somebody deployed in contract with those keys and right, millions of dollars lost. So in terms of focus, I think for now the goal is going to be to first address smart contract security, not not just from a from an audit in perspective, because I mean I keep getting this quest and of the discord or even the APPS, that Hey, I'm interested in security but not I don't want to become an auditor. Right. So that was the focus of the first will box. You don't book can because auditors or the projects open semple and religious trail a bit similar bent. They do many things, but then smart contract, all things, one of the big things that they do. So that is still very, very critical to the sequel system. But Insecurity, as we know, we have this concept of shift, left right. You don't want to put security to the auditors post deployment, just before deployment. We want to move in to the developers, to the designers. So that, I think, is the goal is ultimately to keep moving. Security in smart contract runs on etherial today. All that is in Solrity. We keep moving it shift, we keep shifting it left. So getting more developers right and helping them improve the security chops so that the quality of the court, the reliability security of it,...

...keeps the bar keeps racing, so that you don't become so dependent as a community towards this build audit launch cycle right and when all the pressure is really on the auditors to make sure that there are no bucks, because actually not possible. Right. So the focus is short answer is yes, off chain. All the other aspects, I think we may get into monitoring and other things, but that may be on demand. I mean if, let's say, opens appline or photo or tender. Legal over else comes and says, may you want to, you know, really work with the security community and you want to train them and you want to maybe higher of them, things like that. I'll be security will be open to it, but then it's also limited by my bandwid right. I mean security today is really the sold outiser, which obviously doesn't scale it comes to security. So I don't have very good answers on how that is going to scale. They be people as of time, looking to reb get more wanted. Jeus paid one dused to help as security. I Christ to scale. So a lot of what gets addressed will depend on how secuted it scaled itself. That's an interesting topic you bring up, is the concept of security auditor. When most people hear that, they think about these elite people that they rely on after they develop some smart contract and then have to get an audit before they launch for a myriad of marketing confidence purposes. And that's, like you mentioned, that's kind of the mentality a lot of people have, is build audit, release and which push a lot of the pressure of solving what I would consider low hanging fruit on auditors, where in my opinion, that's a waste of their time. So the concept of shift left is teaching developers that they can also be auditors themselves and there's a tremendous amount of work that they can do. And so, I mean, David, you you may represent one of these people, a smart contract developer working for a company building a protocol that now has a lot more tools in your tool belt to get code at a much better state when you're ready to go ton auditor. Can you explain like maybe how your mentality is shifted in the process of learning about these things and now it maybe changed it all my process? Yeah, definitely. So, yeah, like things like after the secure and wood camp, I think I was I started like looking at things differently and like be more like look, look at all the pitfalls that we were learning, like in the wood guns. I could things that I didn't see before, like now I see them right away. And all the tools that are available to us, like, for example, like Krajevo was talking about Stata slather and like all those tools that that were made for securing your contracts and that I didn't know about before or didn't know how to run, like now I can just run them and like see where I'm mean mistakes or where they could be a potentially exploit. And this is the thing that is like my contracts are going to be way more secure when they get in the hands of the earlier and the Odier can actually do their work, like more manual work, and actually look deeper into the contracts and try to find something that I that I didn't see. That, like all those tools that are available to us. Like every developer, you use them page on your side, which is, I guess, a little more false. For the other side. I'm not exactly sure you do it all the Seppelin, because y'll do so much like we have standards building, you do auditing, there's monitoring, all within a single organization. Have you like?...

How much does it make you happy that an effort like this is under way where developers come to the table with using standards appropriately and maybe understand what they're asking when they come to an unitor? Well, I mean in opens eping we have this pretty strong separation between what we could the security team that is in charge of audit and the product team, but the team that contract and defender, and know we have works of fought at that. You mentioned as a spinough of ripping. That also deals with monitoring and security. So I mean, I'm I'm not in the shoes of the auditor, so I can tell you for sure, but I'm pretty confident that they enjoy when the people that come to to the audits I've already done like the best they could to make sure code is clear, to make sure that simple things are working, like when you when you go to mean, there is a guideline to how to to prepare your code. Finally, and and these guylines might not be applied that often, and I'm sure securium is is really like teaching people how to do that, mostially by putting them into the shoes of an auditor. But like, and audits are expensive. Like, but it's our super ex if you want good auditors, it's super expensive. And the more you prepares a code, the more you will make sure that the auditors are actually checking stuff that is very critically cential. That is not able to do by it to relive the auditor. Spend time just making sure you're could compiles and that's lead runs like it's engineer time that you're playing. So it's better for everybody. I cannot stress that point enough. It's something I've been screaming from the mountaintops from quite a while now. Is, if you want to pay less on audits, do more on your side to prepare for an audit so that they're not wasting their time trying to find regency bugs that slither catches in three seconds. And by doing this work and going through a process like securium, and I'm like being able to understand these things, you're able to then get to a point where you can identify the right kinds of questions you should be asking an auditor in the first place, as opposed to I built some stuff, can you audit it, which is more often than not what people are coming to auditors for. Are with, and the auditor then has suspend the tremendous amount of it very expensive engineering time just trying to figure out what they should be looking at, as opposed to saying this is the scope of what I'm looking for, I want confidence in this particular thing. Can you check for this? And then that's done. So in the current state of smart contract security and people getting audits, there's long lines, it's very expensive and if you would like to cut that line a little bit, coming to the table. Something like that will your auditor will thank you and you'll pay less money for it and you'll get better work because they're spending more time doing the things that they're really good at. And and I would say the I don't know how to put this, like one of the largest weaknesses of the current ecosystem is the amount of talent in security for smart contracts and the compared with the overwhelming demand for that that work right. That imbalance is is really hard and this is why I push something like secure and so art is because it is at least a funnel for both developers and auditors to rise the tide of that relationship. Absolutely, I mean, I think one of the several points. So one what they would mention. The goal is to get everyone who goes to the security guns right, just we're with not just with the...

...tooling, not just with all the biggest libraries soliy all these concepts, but also the security mindset right. We keep saying this. So hopefully the ware in the David is writing his new we too for his protocol when he types out a line of facility. Could you know there's probably a part of him that is decated from a security in a mindset and saying, oh, wait about it. Okay, this return value for this function, this it returned something, but I'm not checking in. So that is a red flag. Right. So that, I think, is part of shift left. So I think that tooling plus the mindset, I think that will help, you know, for people who want to build a career in security, auditing, whatever that is, as well as moving it, shifting it left towards the security mindset in the developers and sense. And the second key point that coury you brought up is and and he doing as well, is to get the code as ready as possible before the or right is I mean you, you guys are then covered all the points. Why? That is critical. Longlines more expensive. So if you're being top dollars, you would rather have all the new having troops covered yourself, right, and let the open septing team or Jocelyn steam and trade a bit circunsolves a diligence really do be and a lot of the effort today, by the way, is also manual. Right. So we have this schooling that is still a work in progress. I mean fantastic tool in from sat diligent state of its all around, right, but I think we really wily. So why? That? Why we, you know, make progress towards that. A lot of the bucks today, at least compared to two years ago, are in that aren't what is most application, what right, which is out of scope for the tools, because you can't generalize them. So a joss litter or his team in slow steam or man these team, so they really have to spend the time to write the test to Manu, only analyze, and that is you know, we only have so many hours right Manu left. So the other aspect of seculium is strongly pushing on is this concept of audit readiness, or some people want to call it pre audit, but that aspect of care right, comprehensive order readiness evaluation is something that would hopefully help. I mean that's again putting a structure to this concept of audit readiness as opposed to letting David's team take care of all the security and then go for an audit. Maybe there is a stage in between where there is particular community effort within securitium that can look at your protocol code before it goes for a loutit right be three months or six months down the line. Wherever it is ready and essentially takes care of all the basic pitfalls and best practices. That opens up in to all these other teams have come up with. Right, we take care of all that so that since team, or the opens upon team, can actually spend their time running their goods at, spending their banning analysis on things that lack of and like what do you said? Not Worry about the BENCRENCIS. That is a good flat and we didn't get off much. So I think those are critical estens. I think that's a part of the program that needs to be clarified. Like you have two phases of security. Of One is a learned phase and one is a audit phase, where people who show promise with doing the quizzes of the learned phase and show that they understand the material well enough can enter into a second group that gets exposure to this this care program. You explain that a little a little more, and after that I'd love to hear, like, your experience with this process of learning in then being exposed to actual real code and finding real issues of of a pre auditor or or care...

...getting people ready to go to audit. Sure. So I'll start by apologizing for the evolving terminology. So I just thought you just to go yeah, so the terminology that be using these days, but the security book camp is there is a lot, there is a race and it can right. So then is really all the content with seculium that was already prepared in the Reposito, as well as all the other content from all the other various teams. Right, all this has to keep evolving and getting better. So that is going to be an onboard process. So that is that is going to happen. But coming to the next phase, is the race phase. Race is just a readiness assessment for care, and care is a comprehens and audit readiness evaluation. Right, sort of a mouthful, but what it really says is that care is really where the upper eache the role. It's really the practical aspect of what an auditor would do, what a reviewer, if you nobody used about audit, what a security review to do or what, David, are any other Proto pointem because themselves their teams would do is write the code and then look at it and reviewed to see if there are any security issues. Right. So that is really the care phase. That's the audit readiness phase before the project goes for all, and that is happening in the Securitium Wood camp and that obviously requires two things. It requires a real world project to come in and this is where the protocols that are ready to go for an audit can come in. And this is a game. It's a pain service to see secure you. So they come in and it's really last for a week and they have the code frozen, ready for the audit, maybe almost ready, and they have the security. Well, the securium community right today it is about sixteen people who are gains selected. The top sixteen participants from a race are selected for a care. So they come in and they review the protocol. They they didn't publish on their findings, put it in our report and what I do, what the securitium representative does, is really take all the findings, and note that I mean not everyone who's reviewing is, you know, at a level that our David or Atrea and straights of the are. All these are aspiring security experts or developers right. So some of their findings may be valid, sow them may be invalid. So what what seculium does is securitium in this case it's me. So I view the quade myself and you put the findings and then I sort of judge which is valid accom and then I compile all the valid findings and that becomes a care report that goes to the protocol right, which can work on those findings and fix them before they go for a lot. So the protocol hopfully is happy. The audit team that eventually ends up auditing the protocol hopefully is happy because all the basic things have been creeped out, so now they can focus on the people, application, logical economic attacks. In what happened, and the securitium participants get a chance, get an opportunity to actually review code that potentially has puns because it is not being audited right and it is a real world protocol that's obviously security minded security conscious, because they are coming to secure you. They're also community conscious. They want to work to the community right. So they get to do this review and get whatever you feedback possible from the protocol team itself, and all this happens on this score right, and a little bit of feedback from me as well. So they hopefully learn what it...

...takes to review as an auditor or a step up right. So that is a care process. There are still details I can get into, but that is care, right. What is what's happening today, and this is obviously limited by the band right. We can't have everyone, like a hundred twenty eight people to the review because somebody has to shoot, somebody has to check their findings as well. So that is why we we need to sort of limit or select the number of care participants. And that is where the race comes in, which today is still a smart contract security based quiz, but it can change forms. It can become a CPF for something that's later. But participants in the race take this multiple choice quiz and the top participants are invited to the care. So that's tough me the process that are other sort of things that are being worked out, but I was all been extra. Someone who's participated in US and obviously gotten to the top, what's been your experience of doing this and then getting exposure to world world code and projects to come? And I think the yeah, that that care, the being like being able to feel like an auditor kind of was really interesting and like looking at code like. So basically, you you are given could from a real world protocol, as a Regiev was saying, and you don't know anything about it and you have to review it. So just like and like a regular auditor would. And one thing I think was really interesting is that you see how much, how important documentation is, like that's something that's often overlooked by like a lot of developers. And so you're looking at the code and you can run all the tools and you can like check all the pitfalls, like the common peat folds that solidity has. But if you don't understand deeply the protocol, like you're not going to actually be able to test it and to find like really like a big exploit that could be in the code. So first thing you have to do is like dig in the documentation and like make sure you're in to understand what the developers wanted to actually do. And so that's like the what the thing that like like that I it is take a documentation is so important and like you just for your code at and Ulitor sometimes and you it's not commented well and like they have no idea what they are looking at. So the code comments itself, but don't you know, shaking his head. So, yeah, and being a smart the contract developer myself. I mean, as far as I know, like auditing and developing are two very different jobs. Like it requires basically the same knowledge of the system, but the way, the way your mind is shaped into, Eider Building Secure Code or auditing other people code, that's completely different. But both have also these things that you really need to understand what you're doing and what the Sempstom is supposed to do. And just like auditor, sometimes my end up proof code that's poorly documented and they don't know what they are only things. Sometimes you also have people looking for smart contract developers that have an idea, but the idea is very rough, very vague and they are just asking people to build a contract. And the same way you can't audit, you can build contract unless you really know what but what the scope of the idea. So it's true that it's on the on the developer ports to properly document the code, but sometimes it's also an issue of Webtry Management Project not taking it...

...for to documents are protocol property. Like Mont you in that that contractive. That's a very high level of explaining what's objectives are, what what the stories are for different hues or what the world goes are. Yeah, it's certainly something interesting that I think a lot of people don't there's two things there that I want to point out. One is the required mind shift of going from developing a a smart contract protocol to auditing a smart contract protocol, and two is the pitfalls you can fall you can fall into if you think that the code comments itself, because an auditor, if you if say, for instance, let's make the scenario I go in for an audit or review and I give them the code and say that the code comments itself and let me know if it works that the auditor, I mean assume, depending upon how this is done, that reviewer, can go through it and say yeah, the the contract does with a think it does, but in reality the contract code does things that the developers didn't quite expect because they had one thing in mind of what this thing should do. It does those things, but it does a few other things that they don't want. Right. But unless you provide the documentation and user stories and what you expect from this contract code, reviewers can't tell you if it doesn't do that. And so they say yeah, it does all the things you expect, but it also does this extra thing which is against the things you're expecting or make cause issues with the things you're expecting. And you can only do that if you have a solid understanding of what the developers want to be happening and then the code base they give you that they think does that right and and that's something that can only be done by the developers themselves and it really helps the auditors figure out, like, what does you think this does, so that I can give you a much better job of like what it actually does and whether or not those those two things match up absolutely. I mean, like if you was pointing out right, I mean this goes beyond the developers, right, because today, yeah, code maybe comments and there is a school of stuff that believes that. You know, I'm not going to read any of the comments, any of the documentation. was what's going to execute us a code and the comment may be stale, may be outdated, not even be there, right. So I'm just going to focus on the gold. So that's one you want, right. But what what I mean? If you look at software engineering, which is really very security constrong, and software engineering has been around every in software step we had to move significantly to the left, where we have requirements, where we have design, has specification, and mean you're talking about documentation, right, which is not even specification, and I mean goody, I mean we have talked about this so many times. Specification is what this is supposed to do, right, and documentation is what this does. And could Commons that Spick selriity or be? I mean, people are surprised, as David was aluding too, when you look at it from an auditor's perspective, right, and when you see that there is this protocol that just has really filed, but as fits a screen and maybe a few comments and zero mats fact, right, so they're well, right. I mean that's that's what the auditors get. and to context from an auditor's perspective is also very critical, and this is something Joscelyn has brought up in his others in the safe cash shows, is auditors obviously tremendously overwork at this point, right, the jumping every week between different protocols. So they are for get, as an example, let's Ay, David's protocol to audit for two weeks from Monday and they're looking at it right, so they have to know as much as gave it and maybe ten times more to be able to break it and point out...

...security issues. Right, and in two weeks. And David Steam, I mean I'm not liking I'm not picking on your David just to see the sex, but David's team has been building, let's said, building, this protocol for the last six months, right, so they know what the user experiences, the personas are every I mean they're supposed to know. And Jocelyn steam is supposed to sort of reach David's team's level and and, you know, go to the bottom of the sea bag in one or two days or three days. Right. How is that possible if they're just supposed to look at the code, look at the contracts and everything that's right. So that, I think, is sort of beyond just, you know, being auditoray in. That's why I think projects re defy safety and other things that who is also be part of. That's where they come and is to look at. Okay, doesn't have a spect right? Does it have all the contracts listed? Does it have the dependencies? Does it have the actors? DoesN'T HAVE THE TRUST MODEL? Does it have a threat model? I think some of the top projects in the space, you know, the very security conscious, very security minded projects have that. But you probably be fair to say that. I mean, if you look at the whole see of projects, right, most of them don't today. I know how Adrian Mean David feel about that. Cor Really, you've seen a lot of this as well. All right, you're experience to people have these things. I think Adien can so get out a lot about days now. Well, I mean some people definitely do and some don't. And and sometimes that's also the difference between successful went front drinks and unsuccessful one. Is that bility to me, as far as I look, for proby to be successfully has to be perfectly executed from start to finish. And and for it to happen that you need to have a vision that is clear, you need to have a documentation, you need to have everything that is fairly well sought out and, and I'm not a noted Terret, I would expect, like the big project that are building complex things in an effective way, to that it's visible doing so you things. Maybe it's not. Maybe I'm just just delusion and above that. Well, to bring it back to security, I'm like, I'm glad that we were able to highlight that for those who are interested and learning more about smart contract security and webtry security. Like this program gives you exposure to not only the knowledge you need to understand how to think about smart cock developments but, depending upon which direction you'd like to go, exposed you to like how to think about this from a developer, how to prepare yourrself and to being an audit by giving yourself real world like examples and and work with with teams. And it's a community of people from all reaches of this of web three security to ask about. So, to wrap up, how do people get involved and working the go to learn more? Seculium, like I said, just exists on the discord. So hop on to the discord it. It's all open. There are many people who are active in different aspects of it. All the mentors go included. They all a dedicated channels on it and I mean it's surprising, but a lot of them to take the time to actually respond. So if you know, if you're just starting out or if you have deep questions about any aspect of open, sampler and Soleunity, your security in general,...

...of chain, any aspect right. So you will find people there, hopefully, who will know who'd have spent a lot more time looking and thinking about those things. So so yeah, I mean just hop on to the discord. Although material for the learn is there, at least the what was developped in the box you, and I mean I should say that a lot of it was actually you did come from open settler. So there. I mean, all their libraries, contracts and they have out there are really well documented. So all of soluity. Two one, if I remember, I think was just compiling. I mean if we made my task easier that than was to look at all the reples of in liflies, it sort of compile all that stuff. It's too obviously there's a lot of improvement. But yeah, so hop on, take a look at the content. Do Want to mute? There's nothing better than learning quite doing so. If you are coming from security background, then free to idea. First smart contracts and remakes or anywhether hard at else. But if you're coming in front, so really perspective. Look at me. All the races, all the quisiness are published. All the quays up there on Discoord, so from from all the previous ones. So take a look at it. There are discussed channels where there are some people who are more active than others. They are happy to answer questions of security to security stuff. So do that and then, when you feel you're ready to actually take part in the business. The races, there is a very simple registration. It's all free. So Register, you get an access code and every month the plan is to have at least one race. So we just had one race in Fed we had another one just got done in March and we have been fantastic. So the question that I get is what happens after the business right? So, like we said, cares are where really the practical experience happens. So there are multiple protocols coming in, but there are also other collaborative partners who are coming in, not necessarily protocols. So we have a spear break, which is building an audited out so they have come and they're partnering on Multiple Care X has. So care x is just a customized version of care that has an extra care. So spere it. Whenever they want to audit a protocol, they bring their partner put the call to get at care done with the securitum community. So it mean that starts one way to do it. We also ensurelock just come in with the capture the flag, which was actually very interesting. So that's all there on the discord. Then we have actually ongoing is a surturda cares where there is there was a workshop that happened with their proval technology. So that happened for about two weeks and you have a care of the badget out protocol going on and then the two weeks after that the sixteen participants have got the applying the proval to on the badget down protocol. Right. So all these participants are really learning a whole lot. They are learning and they're hopefully go to build a reputation with the space. We developer a security audited or a security person and we are going to be distributing in FT badges that show what your bace performance was or care performance was. All this will be on chain for for the build your security or Securitium as you make if you will. And then, yeah, and then if you're planning to jump into a career in security, then all the collaborating partners be it's be able to show lock St tour, all all the partners are in. Everyone is hiring right. So yeah, huge SIS. Some are our status opens Aplin baby itself. So,...

...yeah, all those things happening. But yeah, starting point as that Discott, I mean the website is, unfortunity outdated. But yeah, so hope to do this. Okay, page in David, as very shoutouts. are closing thoughts you'd like to say before we wrap up? Yeah, I don't know. Want that will be life. But, as we discussed before the colds, there is a lot of in a live events that are happening soon in the security space. I'm thinking of whatever is happening in Amsterdam, like there is a truss text event opens up in defender is having an acton. So I mean, obviously initiative like securium are great and they were particularly great during this condemic crisis. But I also think that being part of the community also sometimes goes through to attending events, being able to discuss with security research or being able to seek to discuss with developers and listening about their latest finding doing calls. So anyone want to see us in Amsterdam or at another event later on, feel free to to give us a shout out, to say hello and and to discuss security. Absolutely more, I think. But Therese three of us will be an after Dam David will be there. That's also be also be an after dam this next month, and David in the final fill thoughts. Just wanted to say thank you again to to you, cary, for having us to regime for Securium, and and of course also to Hadrian, because I use your work every day. So it's awesome. Yeah, thanks a lot and actually, like, since we talked about like what I'm working on. Like I didn't even say the name, so I might as well say it. So I work at Angel Protocol. It's a stablecoming protocol on the AIUM, so go check it out. Awesome. Thank you and see next time, guys. Thank you very much. Thanks Coy, thanks for.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (111)