Global Crypto Market

Application security in cryptocurrency ecosystem – Finextra

Welcome to Finextra. We use cookies to help us to deliver our services. We’ll assume you’re ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.
For Finextra’s free daily newsletter, breaking news and flashes and weekly job board.
You can often hear from me and my colleagues security engineers about the defense in depth approach to protecting the user data. Does this mean putting as many tools and security controls in your code or system as the whole market suggests? By no means. When speaking about defence in depth we mean that carefully chosen tools, controls, security policies, etc. must be interlinked and work together for the common goal. 
The number of companies that switch from quick security fixes to building defence in depth as a key element of their security strategy is constantly growing, as well as the number of security-aware top managers and developers. If you’re on the way to it, you’re in good company. When this kind of approach follows the industry best practices, it gives a heartsease literally to all sides around the project, including end-users.
Let’s have a look at some examples without giving the names, say, in the modern and thrilling cryptocurrency industry. 
A huge chart-topping blockchain foundation promotes its non-custodial cryptocurrency wallets that work across platforms: as a web extension and mobile applications. With the incredible growth of popularity and user base, the team behind the wallet starts searching for an advanced level of protection and encryption for the wallet’s data. 
A non-custodial wallet application is fully responsible for deriving and storing wallet’s mnemonics and private keys—all info that the user needs to access to their crypto funds—and signing transactions on behalf of the user.
Being a fintech application, but not being baked by anti-abuse backend or customer support teams, cryptocurrency wallets require deep security protections and educating users on how to resist phishing and misuse.
So, how to achieve defence in depth protection for the users’ data?
First, risk assessment and threat modelling for the applications itself and its communication with a blockchain. Threat modelling opens a way to detect the most fragile application flows, understand what blockchain-wide threats affect their users, what security controls are broken, missing or can be enhanced. Then, keeping the developed classification in mind, the team can set priorities in their security work.
A deep cryptography audit of the wallet, done by security and cryptography engineers, is the next step that set the stage for various modernisations in cryptographic core and dozens of application security improvements. Besides designed security controls and typical appsec issues, this includes protection against phishing as one of the primary attack vectors, improvements in business logic and UX, hardening the user flow with repeated authentication before any sensitive action, getting users to know about wallets usage best practices, etc. As you can see, the approach works much wider than just ‘adding encryption’.
The development process also gains improvements that form a base for the Secure Software Development Life Cycle (SSDLC) by paying attention to security at every stage of the application development timeline. Dependencies management, integrating SAST, dependency and vulnerability scanning tools in the CI/CD pipeline, creating a security roadmap—all of these work to make security not a late guest who brought lots of critics to a party, but a process owner that cares about all the actors.
As a result, cryptocurrency wallet security becomes more than “fixing several bugs” thing, it becomes a well-rounded defense system that works across every platform the product exists.
In such a way, defence in depth approach leads the teams to being resilient and strong against ever hardening security challenges. Should I add that, in times of uncertainty, this ataraxis becomes immensely valuable?
For Finextra’s free daily newsletter, breaking news and flashes and weekly job board.
Security Engineer
Cossack Labs
Member since
11 Jun 2021
Blog posts
07 Jun
04 May
12 Apr
05 Apr
This post is from a series of posts in the group:
Fintech discussions and conversations around the development of fintech.
Chris Harmse
1 h
Carlo R.W. De Meijer
16 h
Mike Castiglione
22 h
Pavlo Farb
07 Jun
About Finextra
Community Rules
Register for news
Contact Us
Register for news
Follow Us
© Finextra Research 2022
Terms of use
Privacy Policy
Cookie Centre


Leave a Comment

Your email address will not be published.