Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
Stader x Halborn - Security in Web3
Recorded: Jan. 19, 2023 Duration: 0:45:15Space Recording
Full Transcription
other folks, a couple of minutes to join in.
Hi, Dave.
Can you hear us?
I can.
Thanks for having me.
Yeah, absolutely.
We're just going to give everyone a couple of minutes to join in and then we'll start from there.
Absolutely, no problem.
So without further ado, invite Dave to sort of introduce himself.
Great.
Thanks for having me.
Hi, everyone.
Dave Schwed.
I'm the Chief Operating Officer for Halborn.
I've been in the space specifically for Halborn.
I've been in the space specifically IT and cybersecurity for about 26 years.
First part of my career, traditional finance, working for organizations such as Citicorp,
Solomon Smith-Farney, Merrill Lynch.
I took the crypto journey back in around 2012 and some relevant experience there.
I was the Chief Security Officer for Galaxy Digital.
I was also the Global Head of Digital Access Technology for BMI Mellon prior to joining Halborn.
Yeah, that's a pretty impressive background, Dave.
So from traditional finance to the crypto world in 2012, so it means that you're quite
an early believer in this space.
Well, you know what?
It's funny.
I believed in the technology.
I wasn't at the time necessarily thinking about necessarily the value of the cryptocurrency.
So while I didn't get involved early, it was unfortunately more from a technological
perspective.
No, no, I think that's probably going to, I mean, everybody who's in this space, the
consensus view is that technology is ultimately going to win out.
The prices may move up and down anyway.
Cool.
So maybe just, you know, start us off by letting everyone know what Halborn does.
I know probably everybody knows about the smart audit side of business, but maybe we can
touch upon that.
But there's so much more to Halborn than just that, right?
Yeah, no, I appreciate that.
So, you know, Halborn, we're a cybersecurity company focusing specifically on securing blockchain
entities, you know, as well as just native Web3 projects.
So what we do is, you know, we look at the entire project itself or the entire organization,
and we don't necessarily focus on one specific area.
So while smart contract audits is something that we do, we also look at the entire project from a risk
perspective.
So for example, you know, we might do a smart contract audit, but then the next question that
ultimately comes up is, well, where are you storing your private keys that can, you know,
effectuate a change in the smart contract?
You know, and then we might look at things like, well, what is the front end app look like?
So let's start looking at traditional Web2 cybersecurity threats.
So our goal is not necessarily to focus on one specific aspect of securing a blockchain project.
We look at securing the entire project from end to end, no matter if the threat is from a Web2,
Web2.5 or Web3.
Yeah, no, that's very important, right?
Because I think, I mean, as the adage goes, basically your security is as secure as the weakest point, right?
So it's not necessary that, you know, you can have a platform with a great smart contract,
but if you're not securing the other aspects of the platform, you're still vulnerable to attack.
Absolutely.
Yeah.
Halbon is kind of an interesting name.
I just wanted to check if there was like a backstory to it and how the company sort of came into being.
Yeah, absolutely.
So the two co-founders, Rob and Steve, they were both huge Matrix fans.
So when they got together and came up with the idea for the organization, you know,
they naturally settled on, well, let's try to figure out something that kind of conjures up this image of the Matrix.
And I think back in the early 2000s, there was a game, the Matrix Online, which I think was just, you know, probably, you know, prior to like World of the Warcraft, etc.
And there was a character in the game called Halborn.
And this particular character had like unfettered access to all the different systems.
And he was like the hacker within that organization.
So, you know, they just felt that that, you know, image and that name just kind of conjured up exactly who we are as an organization.
Yeah, no, that's, that's pretty, pretty interesting.
And yeah, pretty nerdy as well.
So we all like that.
But I mean, we touched upon this a little earlier, but maybe we can sort of dive deeper into what Halborn does.
And, you know, specifically, I know you mentioned that audits are just one part of things, but maybe we can just kind of start there.
And why do you think audits are so important for projects, especially DeFi projects?
Yeah, absolutely.
So I'll touch on that first, then I'll touch on the first part of the question about, you know, expanding on the services that we offer.
So, you know, personally, and you know, the way Halborn looks at it is, you know, smart contract audits are a way to instill trust within the community that there is a independent review of that particular smart contract that it does what it's supposed to do.
And then it has been reviewed from an independent third party perspective, you know, to ensure that there's no, you know, code exploits is number one thing that, you know, organizations like Halborn look at, you know, but we also look at things like business logic exploit, because I think that's the area where, you know, you really need really accomplished and experienced, you know, hackers or, you know, red teamers to really look through the code.
Because, you know, like, you know, if you look at, you know, a hack that does, like, you know, digital signature bypass, or, you know, or the Merkle tree validation, you know, that we saw about a month ago, you know, that that's a code, that's an example, like a code exploit, not necessarily a business logic exploit.
But then when we think about things like front running a particular transaction, those are things that are business logic exploits, where, if you're looking through the code to say, like, how can I exploit a piece of this code, you're not necessarily going to find like, you know, the the ability to front run.
This is where I think the nuance comes in, where, you know, having people that really, truly understand this ecosystem, and understand how blockchain and how digital ledger technology works, from a cryptographic standpoint, I think that's really what, you know, is important.
So I think the value of the smart contract audit, number one, is really supposed to provide an attestation that, that the, that the, that the code has been reviewed by a third party.
Now, you know, I do, I do have to say, though, you know, when we work with a lot of, you know, clients, or, you know, I speak to some of my colleagues, you know, that work at other organizations, you know, unfortunately, what we're seeing is we're seeing a lot of projects defaulting to auditors to kind of help them, you know, code better or help them fix, you know, I don't believe that's really truly what the role of the auditor should be the auditor when they get that, there should be almost no vulnerabilities, there should be, you know, no findings.
The whole point of the audit is to provide that, you know, independent attestation that the code is what it is.
But, you know, I think we're so early in this that there's no publicly available tools that are available for, you know, projects.
You know, if you look at the web to, you know, source code scanning, there's tons of static and dynamic code analysis that, you know, people can run their code through and identify, you know, vulnerabilities and libraries.
But I don't think we're there yet with blockchain.
So I think that it's really, really even more important to, you know, engage with those, you know, independent organizations to take a look at, you know, that code to make sure that it is,
you know, secure.
As far as the other services that we offer, you know, what we like to explain to clients is, you know, we can provide assurance, you know, anywhere along the crypto journey.
So we're working with some clients where they're just, you know, starting on their Web3 journey, where, you know, they're starting to architect or they're starting to think about how can we, you know, enter this new digital assets world and how do we do that securely.
So we'll work with certain organizations that are first starting to figure out, do I want to self-custody?
Do I want to work with a custodian?
You know, what are the challenges?
You know, what are the security challenges from working with each?
You know, what is my resiliency and backup look like?
You know, if you're using, you know, MPC, you know, what does that recovery package look like?
How can I construct, you know, the private key from the independent key shares?
You know, we'll work with organizations even on operational procedures.
So, you know, there's some major banks that we're working with that are, you know, starting to think about, like, what additional controls do we need to put into place from an operational perspective when we start rolling out cold wallet signing?
So, again, we'll look at really the entire process from end to end.
And we'll also look at things like insider threats because that's really, you know, not that it's not important in Web2, but I think it's even more important in Web3.
You know, the whole point of insider threat is if you have a project with, you know, 10 or 15 or 20 people, you know, there's going to be two or three of those people that you can put together from a collusion standpoint that may be able to effectuate something maliciously.
So how do you work with organizations to stand up controls that not only prevent, you know, that collusion, or if you can't necessarily prevent that collusion, you know, how do you detect that something bad is going on and what kind of circuit breakers you can put in?
So that's really what Halborn does.
We go in, we do a risk assessment.
We understand, you know, where the different threats are, you know, as you so eloquently put on when we first started, you know, it's really finding that weakest spot.
It's looking at the project from end to end, looking at it offensively, looking at it through the eyes of a threat actor and saying, if I were going to do something malicious, whether it's stealing funds or whether it's business disruption, which I think it's another area that a lot of people don't necessarily focus on.
We're so hyper-focused on someone stealing our assets, you know, but there's a world of threat actors that are just looking to disrupt.
You know, we have nation states that, you know, want to cause turmoil in the financial services system.
So what better way to do that than maybe launch a DDoS attack against, you know, a blockchain.
So, you know, that's what we do.
We look at the project, we identify the different threats to that particular project, and then we'll work with that organization from a risk-based approach of, you know, where do we feel that, you know, it would be best, you know, to focus our attention on.
Yeah, no, that's, that's really heartening to hear, right?
Because I think a couple of points that you've mentioned, just kind of getting into the mindset and, or an aggressive mindset of the attacker and trying to find or poke holes in the system or platform, and then sort of going back and seeing how we can, how we can sort of defend better against it.
I think that's, that's an amazing approach.
I just want to pick on one thing that you, that you said right at the start, right?
You mentioned that it's, it's still early doors for, for security as a whole, or for this sort of industry or ecosystem to kind of mature.
So I was just wondering, and this is going a little off script, but essentially from your vantage point, could you just, you know, walk our community through, you know, how this, how this, you know, industry or, or this aspect of Web3 has evolved in terms of the security aspect?
Sure. Great, great question, by the way. You know, I think, I think we're, we're, we're definitely in a stage where I think the, the industry is definitely maturing. You know, I come from two different worlds. I come from, you know, enterprise security from, you know, the banking perspective, financial services, you know, and then I've also worked at smaller startups.
And I've also worked with smaller startups, you know, where they don't necessarily have the budget of a major financial institution. You know, number one, just to purchase certain technologies and also to hire, you know, certain individuals, you know, banks have the, have the, have the advantage of, let me go hire someone who is just a networking person. Let me go hire someone. And again, this is just even a technology. Let me go hire, you know, 10 Cisco CCIE certified people to be able to build on my network. And let me go hire a network security specialist. Let me go hire an HSM specialist.
So they have the budget to go out and hire individuals who that's, this is their domain of expertise and this is what they've done. And I think some of the challenges that we've seen over the last, you know, X amount of years in the blockchain world is, you know, the capital isn't necessarily there to go out and build out this, you know, 100, 200, 300 person, you know, size, you know, security, you know, organization, you know, again, you know, pushing the coin bases aside and other organizations that have, you know, thousands of employees, you know, talking about some of the smaller projects.
So, you know, I think what we're seeing is, I think we're seeing number one, you know, a lot of security tools that are still in stealth and some of them have launched that are trying to address some of the, you know, some of the, the gaps in the market.
You know, they're really up until recently hasn't been, you know, a great solution for looking for anomalies for, you know, activity, you know, anomalous activity on, on DeFi, for example, you know, so from a retail user perspective, you know, they're plugging in their ledger, they're, you know, authorizing blind signing, and they don't know what they're doing.
And they're interacting with adapt, or they think they're interacting with adapt. And there's really nothing there to kind of guide that retail user through like, am I communicating with who I think I'm communicating with, but we're starting to seeing tools come out, we're starting to see browser extensions, we're starting to see enterprise level solutions that can be integrated with wallets.
So I'm really, really bullish on where we're headed in the industry from a security perspective. Because I think, you know, the, I think the market is seeing that, you know, crypto isn't just a fad and crypto isn't going away. So what we're seeing is we're seeing some of the, you know, major cybersecurity companies, we're seeing some of the major banks really starting to deploy capital and research to really address some of the gaps that we've seen over the last, you know, 10, 10 plus years.
Yeah, no, absolutely. I think you've raised a couple of very good points there. I think, rightly said that right now, I mean, if you look back a couple of years, I mean, the focus of the industry was probably not as much in security as it probably should have been. But over the last sort of six to eight months or 12 months, I think we've seen really the quality of execution and security come sharply into focus, where projects can now really defend
and differentiate on that. And the other point that you rightly mentioned, right, it's in the more traditional world, you see these very, very large, you know, risk compliance departments, which really isn't possible in the Web3 world because of the dynamism and the fact that we want different sets of small, you know, developers or builders to go out and innovate.
If we have to do that safely, then we need all of these tools that you sort of alluded to. Yeah, totally agree there. Moving on to the next question, you sort of alluded to there as well, the space is kind of maturing, and especially on the audit side, we see it getting a little bit more crowded as well, right?
So maybe talk to us a little bit about, you know, what makes Halborn different, as well as the fact that, you know, when somebody is kind of looking at, you know, reports from different sort of audit providers, what are some of the maybe telltale signs that makes you feel that this is like a quality report versus something that's just been done a little bit superficially?
Yeah, absolutely. And that's a great question. You know, I think, you know, if I were coming from the outside, and I was trying to evaluate, you know, what, for example, like, which, which auditor, you know, I would go with, you know, some of the things that I would look at, number one is, I look at the backgrounds of the individuals that work for the organization, you know, specifically the, you know, the hackers or the red teamers to see, you know, what, what's their level of expertise, you know, what's their background, where do they come from? You know, that's, that's number one. Number two, I'd also check out the rec list.
Again, you know, I there's a love hate relationship with the rec list in the community, you know, and I'll explain why in a second. But, you know, I think the rec list is a great place to look at, you know, for everyone listening, if you're not familiar, the rec list is, you know, a list of, you know, potential hacks and exploits, showing, you know, the amount of funds that were allegedly stolen. And then it will show, you know, if that particular project was audited, and which auditing firm was.
And the reason they say I have a love hate relationship with it is, you know, the one thing that the rec list does not show is, you know, if the particular smart contract that was exploited was the same one that the auditor had actually audited.
So that's the one thing I would tell people is, you know, if you see a certain organization on the rec list, you know, do a little bit more due diligence, look into the particular order report and see if it was the same smart contract or the portion of the smart contract that was reviewed was the same one that was exploited.
But that's another area that I'd look into. Obviously, definitely, you know, reference checks are huge, you know, speaking to other clients about what the experience was with that organization.
You know, but you're right, there are a lot of organizations now that are, you know, hanging out a shingle and saying we're smart contract auditors.
And I think that's causing, you know, personally, I think that's causing more harm in the industry than good.
Because, you know, some projects and some Web2 native companies that are first entering into their digital assets journey, maybe don't have the expertise to fully understand what the differences are between the firms and their level of experience.
expertise. So we may have, you know, firms that are not necessarily, you know, have the experience or, you know, have the, you know, the ability to actually perform a smart contract audit are now doing smart contract audit.
So they may be throwing them through different tools. You know, they may be using, you know, a solidity developer that doesn't have any security background.
So I think we're causing a little bit more harm in the industry than good.
But I think what will end up happening over time is and I think we're, you know, we sort of see it today is just like in the public accounting firm.
Like, you know, you have the big four or the big five or the big six, you know, depending on, you know, what year we're talking about.
And then there's, you know, everybody else. And I think that's what we're going to see.
And that's what I think we do see today in the smart contract auditing world is, you know, you have the big names in the space and then there are other people that are doing it.
And, you know, the other answer I always tell people is, you know, you get what you pay for.
If you're looking for a firm specifically on price and they're significantly cheaper than somebody else,
there's probably a good reason because, you know, the engineers that are working on that particular engagement maybe are not as great as some of the engineers from some of the other firms.
And they obviously are paying them less. So therefore, they can afford to do the, you know, the audit at a cheaper price.
You know, so listen, security is paramount. So that's not one area that I would necessarily recommend for, you know, for certain individuals to, you know, to cheapen out on.
So, you know, again, even if it's not Helborn, I'd look for some of the other bigger names in the space.
You know, so those are the areas that I particularly would look at, you know, then as far as the quality of the report, you know, again, just look at past reports.
Most reports, maybe not the full details, but most reports are published.
So you can take a quick look at, you know, the auditor's, you know, last six to 12, you know, months worth of audits and look at the quality of the findings.
Look how many critical vulnerabilities or highs or mediums and, you know, look at the depth of, you know, the findings and, you know, what was actually identified.
You know, was it, as I mentioned before, was it a code exploit? Was it business logic exploit?
You know, the business logic exploits, I think, really where, you know, Helborn differentiates itself from others, where, again, we're not just necessarily looking for those code exploits.
We're also looking for that business logic exploit.
So I think all of those together, I think, are probably, you know, some of the points that I hit in on.
Yeah, no, I think that's some very, very great points, right, and some very great advice as well.
But I particularly love the metaphor or the comparison to the accounting firms because you can see a stark difference in quality amongst the top and everybody else who also does it.
So, yeah, that really struck the point.
Yeah, listen, I'd actually love to ask you a question.
You know, other than security audits, you know, I'd love to hear, like, what other security practices that, you know, you're following, you know, to ensure security for your staking solution.
Yeah, no, absolutely, no, great question.
And it sort of follows on from what you just mentioned, right, because it's not about the code versions, because security is not, you know, once done and once and done kind of situation, right?
You have to constantly kind of stay ahead of the game, right?
So for us, I think it's a combination of a few things.
So one is, of course, you know, quality or quality audits by firms such as yourselves, right?
And then sort of going ahead and, you know, also doing bug bounties, right?
So we, for the BNB solution, we have like a $1 million bug bounty on Immunify that's running, right?
And the idea there is that we, you know, in order to sort of stay abreast, it's just not possible for one team to do that.
So how do you incentivize the community to participate in making the solution more, you know, more secure?
On the other hand, we've also sort of partnered with Forta to come up with on-chain analytics, where we monitor the activity and the interactions with the smart contract.
And if there is something off or if there's something that needs attention, then we get alerted very quickly.
And that's another way for us to kind of make sure that we understand what's going on and we have enough time to kind of react.
That's great.
And I'm 100% on board.
I love the bug bounty.
You know, I think that's really, really critically important.
You know, again, because I've heard from some organizations, you know, that they're a little skittish about doing that because they feel like it's inviting people to come in and, you know, to try to exploit.
And what we always try to explain to them is whether or not you invite them, you know, if they want to look for an exploit that they can.
You know, what better way, though, to kind of, you know, shepherd, you know, the activity potentially through a white hat hacker instead of a black hat hacker.
So 100% on board with that and love to hear that that's part of your strategy.
Yeah, absolutely.
And just to kind of round off that thing, right, I think you mentioned that at the top of the program that, you know, the rogue actor sort of risk is very real, right?
And we try and mitigate that through having external multi-stakes.
And, you know, very recently on the State of BNB side, we've also sort of put our contract under a time lock where any changes take 24 hours to effect.
So those are some of the things we've done apart from the audits that kind of help secure the platform.
And like I said, it's not.
It's sort of a continuous process.
That's great.
Cool.
So maybe just kind of getting back into the group.
So I think one thing that you mentioned that really stuck with me and, again, going a little off topic, but I think it's the quality of the individuals.
So I would love to sort of hear from you on how do you think about hiring or, you know, acquiring talent when you think about, you know, building your team at Halbert?
That's a great question.
And, you know, I do think, you know, going back to the question about what differentiates us from our competitors, you know, I think this is one area where I think we definitely differentiate.
You know, and part of it, it starts with our hiring process.
It's not easy to work for Halborn.
You know, we intentionally put our candidates through an extensive interview process.
And it's not just interviewing, like, you know, back and forth questions.
We'll actually give them exercises.
So, you know, all of our engineers are required to go through two different capture the flags.
So we test out their Web 2 hacking capabilities.
So, you know, we'll give them a capture the flag to own a, you know, web server and try to breach it and, you know, grab some confidential data.
And then what we also have is capture the flags for different programming languages, whether it's Solidity, Rust, et cetera.
And then we'll actually have them go through a sample audit so we can see the quality of their work, so we can see the way that they think.
So we won't even speak to a candidate until they actually go through both of those capture the flags.
And then after they do that, we'll meet with them.
We'll review the reports with them.
We'll kind of hear their thinking, you know, how they approach that particular project and also just look at the quality of their work.
So that's one area that I think that we differentiate and how, you know, we try to identify top talent.
But as far as the candidate of the individual, what we found works is, you know, again, this isn't an area where you can say, OK, let me go find someone with 10, 15 years of smart contract auditing experience or blockchain security experience.
You know, while there might be people that have been in the space for 10 years, you know, cybersecurity and blockchain isn't necessarily something that's mature enough where we can say, let's look for somebody with 10 years experience.
So, you know, knowing that, the question is, you know, what individuals have we found or what backgrounds have we found excel the most in this particular area?
And, you know, one of the things that we see some of our competitors doing is they'll look for a Solidity developer or Rust developer or, you know, whatever language.
And then they'll try to teach them security.
You know, we found that that approach is not the right approach.
And, you know, the approach that we we find is, you know, find an amazingly accomplished, you know, red teamer, you know, someone who's, you know, you know, has been in the cybersecurity space for, you know, maybe 10, 15 years or, you know, even if it's three or four years.
But, you know, they've really demonstrated that they that they fully understand the cybersecurity ecosystem, that they are really, truly a red teamer.
They understand, you know, how to use all the different tools.
They know how to, you know, understand how to write their own exploits.
And what we found is upskilling them and teaching them blockchain is a lot easier.
You know, understanding blockchain, understanding the cryptographic, you know, signing of transactions and understanding the importance of private keys.
It clicks very easily for somebody who's a cybersecurity professional who's been doing this for a number of years because it's really for them just a different system.
Right. It's different code to exploit.
So that's one area.
The other area is, you know, we will hire people that have been in the space for a number of years that maybe are not cybersecurity professionals, but understand the ecosystem.
And that's where like that business logic exploits come in, because they'll work with the engineers when they're looking through the code to try to understand, you know, what are we trying to accomplish here in the ecosystem?
You know, again, they've been doing this for 10 years.
You know, they've accessed all the different bridges.
They understand how the ecosystem works.
So they'll work with the engineers who are looking through the code for the exploits to kind of work with them to map out, you know,
if they were to look at this from a business logic perspective, here are some of the things that they would try to do and then work with the engineer to see if the code detects and prevents that type of anomalous activity.
Yeah, no, that's, that's super insightful, right?
Because especially like the fact that, you know, once you you're in that mindset of finding loopholes in a particular piece of code or logic or system, it's easier to upscale to a different system rather than sort of build that mindset from the start.
That, that's very insightful.
Cool.
Just sort of switching gears a little bit.
I know we have a lot of builders also listening in at different points in time to our AMAs.
Just wondering what advice would you give from a security perspective to somebody who's, you know, starting a project in Web3?
Sure.
You know, so there's definitely, there's a lot of, you know, quick, you know, quick wins, if you will.
So, you know, I think one of the, one of the things that I'm, you know, I keep mentioning it is, you know, custody and key management.
I think, you know, the, the smaller the project, you know, the newer the startup, it's usually an area that they don't particularly focus on.
You know, number one, you know, it's, it's a complicated topic, you know, how do you safely and securely store private keys?
Or how do you safely and just, you know, securely and store API tokens?
You know, and I think that's an area that I think a lot of the smaller startups and projects don't necessarily focus a lot of attention on.
And so I would tell a lot of, you know, new projects when they're starting, you know, custody and key management is foundational to everything that you're building.
So really take the time to figure out, like, how am I going to build out a secret management, you know, process, you know, again, for both the API tokens and also for, you know, the private keys for the smart contracts.
Because, you know, as everyone's aware, you can have an auditor come and look at a smart contract, but if someone steals your private keys, they can just very easily, you know, upgrade your smart contract.
But, you know, I, you know, one of the controls like that you mentioned before is, you know, that time lock.
So, you know, if someone were able to grab the private keys, you know, it's 24 hours.
So that's a great control to put in place, providing, you know, there's also detective controls in place to detect, you know, potential changes or, or, you know, someone who access those keys.
So I would say definitely key management and custody, you know, is definitely foundational.
And then I would kind of take a, you know, a layer back and start looking at like, what is my DevOps and CICD look like?
Because that's another area where I think smaller organizations, you know, you'll have a developer who also is the person who is, you know, pushing the code into production.
So if you have one individual that has, you know, full access to not only develop, but also to push things to production, you know, number one, that person can get compromised externally, you know, whether someone's, you know, pushing pressure on them to inject malicious code, and or they're compromised, you know, inadvertently, you know, you know, go black to the Axie Infinity, you know, I had the developers, you know, who opened up that malicious PDF job offer, got X, you know, got owned, and then his machine, because he had access to certain systems, they were able to move east-west laterally and grab some of the private keys, you know, to the validators.
So I think it's also, like I said, looking at, you know, how do you segment certain individuals within the organization from a segregation of duties, you know, from an operational procedure perspective, but also from a technological perspective.
So looking at that CICD, looking at that DevOps, but then also looking at like, what does my process look like, you know, individually?
Like, how does, you know, how does code get reviewed internally?
You know, how are people, you know, pushing code out from a staging to a UAT to a production?
So I think all of that stuff needs to be looked at.
As far as like, looking at like, smart contract audits, you know, again, depending on the size and scope of the organization, you know, one of the things that I typically tell people to do is, you know, shard out the development work to different people.
So number one, you don't have a developer that necessarily has full access to the entire code base and can inject certain things.
And then it also keeps a level of obscurity through like, what's actually being built and what that different functions do, you know, until things are released in production.
So it's really, you know, again, coding on, you know, particular functions and sharding out the different work.
But then also looking at your infrastructure, too, and looking at things like physical and network, you know, I'm sorry, physical and logical network segmentation, you know, putting defense in depth.
So that way, if there's a piece of the infrastructure that does happen to get owned, you know, you don't have to necessarily worry too much about, you know, east-west lateral movement.
You know, there's too many times when, you know, a particular device on a particular network or in a VPC within AWS is owned.
And there's, you know, you don't have that logical or physical network segmentation.
And then it's very easy for that threat actor to then move east-west, you know, laterally.
The other piece, and, you know, and then I'll stop talking, is around detective controls.
You know, we can throw as many preventative controls we want in place, but they can and they most likely can be breached.
So we want to also have as many detective controls that we have on the preventative side so that way we can detect things.
You know, when I'm talking to lay people that are not necessarily, you know, cybersecurity people, I'll use a house as an example.
We all have locks on our door.
Why? To prevent people from coming in when they shouldn't, when it's locked.
Well, that's great. Why do we also have an alarm system?
Because somebody can kick the door open.
And we have to think that way when we're starting to implement cybersecurity is, you know, I have a firewall that's supposed to block unwanted traffic.
Well, that's great. Well, what if somebody is able to breach my firewall?
What if there's a zero-day vulnerability in my firewall that hasn't been remediated yet and someone is able to exploit it?
Well, I want to have detective controls inside my network to see if there's malicious activity of somebody breaching my firewall.
And I think that's an area that a lot of the startups don't necessarily focus too much attention on.
Or if they do, they don't have the individuals with the skill set to be able to respond to those types of alerts.
So the organizations that do have these detective type controls, they'll get an alert and it's either, you know, three in the morning and they don't have a 24 by seven security operation center.
So there's no one there responding and investigating it or they get the alert and they don't necessarily know what to do with it.
So I think, you know, standing up with detective controls, but then also ensuring you do have that, you know, security operation center, you know, whether it's outsourced or in-house monitoring for that type of activity.
So those are the, you know, the quick wins that I think I would tell most organizations to focus on.
Yeah, thanks. Thanks for that answer. I mean, pretty much loved the whole thing.
I'm just kind of thinking that, you know, we should probably cut out this snippet and have it up separately as, you know, something that everybody who's starting up a new project should kind of go through.
So especially love the analogy on the house, because ultimately, I mean, because this is such an evolving space, what you might think is secure right now might not be secure, you know, six months down the line.
And hence, you need to have those detective controls in place for when that happens. Right.
It's almost like you have to assume that that will happen at some stage.
Absolutely. Yep.
Yep. Just sort of looking at the flip side of things, not so much mistakes, but what do you think are, you know, some of the most more common misconceptions or errors in thinking that projects do?
So, you know, that's a great question. You know, I think some of the common misconceptions are, you know, cybersecurity is not black or white, right?
Like there's no, this is secure in this or it's, you know, inherently, you know, insecure.
You know, it's really shades of gray. And I, you know, one of the things that you just touched on right before that question is, you know, you nailed it.
What's secure today may not be secure tomorrow.
So I think that's, you know, some of the misconceptions is, you know, that cybersecurity is this binary art of, okay, everything is now secure, thumbs up.
It's an ongoing process where there's always, you know, new sets of attacks, new vulnerabilities that are discovered, you know, new types of exploits.
So I think the misconception is, you know, it's not a set of forget it, you know, hey, we did this, you know, like you said, six months ago, we implemented, I know a perfect example would be, you know, again, I'm not knocking HSMs, you know, I'll just give you an example.
But, you know, if someone stood up a key management, you know, process in crypto, you know, in 2014 or 2015, you know, 99 out of 100 of them are going to be using HSMs most likely, you know, but what we've seen from 2017 or 2018 on is the shift towards, you know, multi-party computation, you know, as a way to safely more securely, you know, you know, you know,
store their keys. So if you did a set it and forget it type of attitude, you know, you wouldn't necessarily take, you know, a look at this new MPC technology to see if it offers any sort of additional benefits, you know, to certain organizations.
So I think it's this constant, you know, relooking at the infrastructure. It's, you know, the concept of Kaizen, it's continuous improvement that I think, you know, I think most organizations don't look at cybersecurity through that lens.
I think it's more of that, like I said, that binary, okay, we're good, we're secure, let's move on to the next project.
No, absolutely. Yeah. So let's just sort of shifting gears a little bit, maybe talking a little bit about the future. We are in January. So we'd love to hear some of Halbin's plans for 2023 and beyond. What can we expect to come out?
Yeah, absolutely. You know, so we launched last year, a product called Xeon for the community. It's free. So if anyone's listening, you know, go to Xeon, Z-I-I-O-N.org, which is another matrix reference. You know, we like to, it's easy, the best way to explain it is, you know, it's the Kali Linux for blockchain security and development.
So it's an open source Linux distro that contains, you know, I think over 100 of, you know, all of the different blockchain security and open source development tools for the community. So that's one thing that we launched last year. And, you know, we do have some products that we're very excited to launch this year.
You know, don't necessarily want to, you know, dive into the details until we fully launch it. But, you know, keep your eyes out at halbin.com. You know, we should be launching something, hopefully by, you know, the end of Q1 into Q2, or make some announcement on it.
You know, because, you know, we feel that we're, you know, because of where we're positioned in the market for, you know, working with all clients and understanding the vulnerabilities, you know, we do have a sense of, you know, what we feel is missing in the space.
You know, so we're able to leverage that type of insight into, you know, the industry and be able to develop tools that will address some of the, you know, some of the areas that we believe is missing in the market.
You know, also, you know, what we're seeing is really, really increased activity coming from enterprise.
And when I say enterprise, I don't necessarily mean just banks, you know, focusing on, you know, cryptocurrency.
You know, we're working with some other organizations, you know, that are not in the financial services space, but are, you know, very large enterprises.
And it's really exciting for us to see, you know, the, you know, the use cases, you know, that they're using digital ledger technology for.
So, you know, what's next for Halborn, you know, is really, you know, focusing products and services, you know, for other types of digital ledger technologies that don't necessarily focus on, you know, specifically on financial services.
So I think those are the two biggest areas that I think I'm excited for for 2023 is, you know, working on new use cases for digital ledger technology.
You know, whether it's, you know, you know, we're seeing an increased activity in the gaming world, for example, or like I said, you know, non-financial services enterprise, you know, so certain, you know, organizations that are maybe looking at, you know, again, not necessarily this is one of our clients.
But, you know, some of the things that I've read in the industry are, you know, airlines using NFTs for boarding passes and creating a secondary market, you know, to sell airline tickets.
So I think things like in projects like that, you know, as we get more and more involved in, I think are, you know, some of the things that I'm most excited about for this year.
Yeah, no, super, super exciting.
We'll definitely keep an eye out for all the new launches coming into Q2 and beyond.
Finally, I just want to end with more of a sort of forward looking view.
I know we talked about the evolution of the industry, but how do you see sort of blockchain and DLT cybersecurity evolving in the next two to three years?
Sure.
So we're definitely going to see more enterprise tools that are coming into space.
There's a number of projects that I'm really super excited about that some of them are still in stealth that are really addressing some of the lack of, you know, enterprise level security or enterprise level risk management.
And, you know, not just cybersecurity, you know, just other types of transaction monitoring systems and, you know, enterprise level risk management, you know, from, again, not from a cyber perspective, but more from like a financial risk.
So I think we're still going to start to see, you know, as we're going to, as we see more globally systemic important banks, you know, entering the digital asset world and we start to see more of these enterprises, you know, their demand for enterprise level security has increased, which is creating a market for startups to address that market.
And I think we're going to see real maturity in the cybersecurity tools that are out there because I think, you know, listen, there's always going to be the need for eyes on glass from engineers and you're still going to need those, you know, cybersecurity professionals.
But I think the more and more either open source tools that are available or just SaaS based security for blockchain will just do its part to help, you know, elevate and secure the ecosystem.
So I think that's really what I'm excited about.
You know, I think one of the other areas, you know, talking about, you know, blockchain security, you know, I just wanted to touch on it because I thought it was kind of interesting is, you know, the use of digital ledger technology for blockchain infrastructure for traditional Web2 threats.
You know, one example I like to talk about is, you know, if we look at traditional command and control malware, you know, you have a bot sitting on a machine, it will phone home, make a DNS request out and, you know, pull down the payload and, you know, send the instructions out to, you know, to the infected host.
But what we're seeing is we're seeing a shift of now malicious actors are now potentially using this new decentralized infrastructure to carry out these same types of attacks.
So instead of DNS, we're seeing, you know, somebody using ENS for resolution.
And then instead of storing payloads on a centralized server, which can be blocked by IP address, you know, we're seeing people put payloads on IPFS, you know, with IPFS, you know, it's fully resilient, it's decentralized, it's permanent.
You know, so I think that's going to be interesting, too, is we're going to see some traditional Web2 cybersecurity tools that are maybe kind of crossing over into the Web3 infrastructure world.
Yeah, no, that's, that's super interesting and insightful.
I think, like we've sort of mentioned previously as well, I think it's very heartening to see, like, the focus being very sharply on this and with sort of enterprises also joining the fray.
I think a lot of the learnings that people have had from the Web2 in terms of the concepts, as well as, you know, just the robustness of Web2 security can be sort of translated into Web3 as well.
And, yeah, I think all of us in the ecosystem will look forward to it.
Yes.
Cool.
So I think those are the questions we had for now.
So before we sort of let you go, Dave, is there anything else that you would like to sort of share with the community?
No, you know, just, you know, Halborn's here for everybody as a resource.
You know, feel free to reach out to me personally.
You know, my mission is to help secure the ecosystem.
So, you know, even if it's just, hey, you know, have a quick question, want to ask me something, you know, feel free.
I'm an open book.
So, you know, anybody just feel free to reach out and then obviously check out Halborn.com and check out all our socials.
You know, we push out a lot of content, you know, to help secure the ecosystem and help educate the ecosystem.
So, you know, follow us on all our socials.
But I really appreciate you having on.
I really enjoyed our chat.
Yeah, absolutely.
And we enjoyed the chat as well.
And thank you for all the comprehensive and insightful answers.
I think folks listening in to this will find it very, very interesting and helpful, you know, for a long time to come.
That's great.
And thank you for being a great partner.
Yeah, absolutely.
Same here.
Thanks for partnering with us across the board.
And finally, thanks to all of our listeners for tuning in as well.
You know, this is done for you guys.
And, you know, do let us know if you want to, you know, hear different topics or anything else that you might have as questions for Halborn.
And like Dave mentioned, you can visit the site at Halborn.com or, you know, get in touch with them through their socials.
Yeah.
With that, thank you again for tuning in.
Thank you, Dave, for being a wonderful guest and providing all the insightful answers.
And we'll see everyone on the next one.
Great.
Host
Stader.BNB
from
Stader BNBx
