Is Security Testing for Blockchains The Next logical step?
By now its quite evident that Blockchain isn’t just a buzzword. We are seeing industries being disrupted at an ever-increasing rate. The fortune 500’s are rushing to find solutions using Blockchain for their complex value chains. Blockchains have been marketed and publicised as unhackable and almost absolutely secure, which is one of the main drivers for adoption. However, the bitter truth is that once hailed as unhackable; blockchains are now getting hacked.
For readers new to blockchain, lets recap on how a blockchain works.
A blockchain is a cryptographic database maintained by a network of computers, each of which stores a copy of the most up-to-date version. The core protocol dictates how the computers in the network, called nodes, should verify new transactions and add them to the database. The protocol employs cryptography, game theory, and economics to create incentives for the nodes to work toward securing the network instead of attacking it for personal gain. If set up correctly, this system can make it extremely difficult and expensive to add false transactions but relatively easy to verify valid ones. Hence the interest in its enterprise applications by conglomerates.
Let’s take a look at some of the challenges and the scope in penetration testing of blockchains.
Platform dependence: Blockchain testing is dependent on the underlying development platforms like Ethereum, Openchain, or any customized platform, hence a detailed analysis and a test strategy is required for the same.
Integration frameworks: Integrating a blockchain app (DApp) with various systems and environment often poses a great difficulty. So, the key responsibility is to ensure that the response from all nodes is consistent, and there are no disconnects.
Core security: Nodes and a shared ledger are the most critical parts of the Blockchain for securing a blockchain application. For instance, if a node on the network is attacked by something like DDoS, then the application hosted on Blockchain will be affected.
Smart Contract Audits: Not all smart contracts are as “smart” as we think they are. Recent hacks in smart contracts are clear evidence of bugs and vulnerabilities.
So, in light of these complexities, it is essential to develop frameworks that take into account all of these factors. The testing industry is slowly taking notice of this market as the use of blockchains are increasing and realise there’s a gap that needs to be filled.
Decentralised applications aren’t as mature or popular as the common centralised ones, so presently, centralised applications with elements of decentralisation using Blockchain are widely used. Testing for these hybrid applications requires standard testing along with some specialised testing.
Standard testing includes:
Functional Testing — where the basic components, the system, and its workings are essential. Testing here is conducted to assess the effectiveness of use-case scenarios and the specific business processes involved.
Integration Testing — Since blockchain deployment could be across several systems and environments, it becomes essential to ensure that the interfaces between the components, integrations, and the different parts of the system are functioning cohesively to ensure performance consistency.
Performance Testing — The performance of an application and the latency vary with networks as well as transaction size. Performance testing in Blockchain includes identifying performance bottlenecks, defining the metrics for tuning the system, and assessing if the application is ready for production.
Specialised testing includes:
Smart Contract Testing: Smart contracts lie at the core of the Blockchain validation process. Testing of smart contracts calls for simulating all possible expected and unexpected conditions of a contract. Testing looks at business logic combinations and appropriate execution of all the transactions in the context of a dynamically changing and expanding the network.
Peer/node Testing: The power of the Blockchain lies in the shared ledger being precisely the same at every node with the same set of and sequence of transactions. This makes it essential to achieve a consensus across all nodes in the order in which the transactions are added to the network. This calls for the testing of the consensus protocol to determine that all the transactions get stored in the proper sequence. This would have to be tested under normal conditions and also under conditions when nodes fail simultaneously or when they do not participate in the network for some time.
Now, imagine if the frameworks themselves are built on a blockchain!
A decentralised testing framework will be highly secure, immutable, and incorruptible as the core protocol of Blockchain facilitates these features. Having the framework itself on the Blockchain prevents any unauthorised access, and since it essentially is an “append only” digital ledger, anyone with access to the framework cannot make any unwarranted changes.
One of the use cases of Blockchain that has application across multiple verticals is blockchain-based certification. Gone are the days when services are certified by a central authority, usually by the service provider, which isn’t really verifiable by the end user and is entirely based on trust and reputation. For example, if an application testing company issues a blockchain based certificate for the authenticity of service in the form of a QR code, on scanning the end user of the application will be able to determine how any piece of information is added in the system, and how permission for the same is given. This certification would be universally verifiable, and the immutable nature of Blockchain will take care of the dependence on the trust part.
The fact is that Blockchain is a technology that will help provide a system to the companies who wish to gain a competitive advantage while providing security and transparency.
This is a post in our on Medium blog, ‘Blockchain for Everyone’.
Sign up here to discuss any use cases. Thanks to Rohit Taneja for reflections and feedback.
Helping you understand the fundamentals of blockchain and develop elegant blockchain solutions to empower your successful businesses into new technology spaces, BirthVenue.
Sabarish Nair
Blockchain Analyst
