Going on a meeting tomorrow with OWASP local group and one of the main talking point will be Web3 Dapp and such audit. For anyone familiar with Halborn Blockchain Security Solutions and the Ziion web3 security testing and dev VM basically a fork of Kali Linux loaded with bunch of tools mainly for Eth and Sol ( hence the rust integration already there ) I will try to get to lay out the steps to include IC and then present it to DFINITY meanwhile looking to a constructive panel talk with local SNYK representative. So yeah throwing this out to see where and if there is any traction or anything against this. Thank you.
3 Likes
Wikipedia
Founded: 2 December 2001
Headquarters: Maryland, United States
Number of employees: 0 (2020)
Income: 878,998 USD (2010)
Founders: Mark Curphey, Dennis Groves
Focus: Web Security, Application Security, Vulnerability Assessment
Method: Industry standards, Conferences, Workshops
20 years and nothing achieved, the result is the worst security ever.
Yes thank you for the Wikipedia quote. So what is your point ?
Thanks @ZackDS ! I’m working in Dfinity’s product security team. This sounds interesting and including IC specific tooling in existing security projects would certainly be nice. I’m not too familiar with Ziion though.
I’d be interested in an update. Could you share your learnings / discussion outcomes about what IC specific tooling could make sense to be included in Ziion from your perspective?
1 Like
What do you mean?
They have a ton of really mature projects. The ASVS list is used a lot as requirements or by penetration testers to verify coverage of the tests.
JuiceShop is used to teach people about web app security.
Cool, nice to meat you @robin-kunzler at least I now know who to talk to about this. The first meeting was about getting voted in since this will be the first for Web3 related. There will be 4 presentations from Chainlink. Polygon, MultivesX (ex Elrond) and ICP. Once I have drafted some ideas I’ll send it your way for review. Meetup will be held sometime the second week of June. Was postponed because of the CertiK drama with Merlin to include solutions for that specific issue.
With Ziion I’l make a video about it highlighting what could be included and ask you/Dfinity about it, but only at the end of month, right now am busy with IC and Motoko presentations in Hungary and Romania.
So as soon as I got updates you will be the first to know.
Since the beginning of the Internet there was a right and wrong way but we have taken the easiest path and have ended up with what we have today, a broken down system that has a bunch of great companies handing out costly scripts to plug the holes that do nothing to fix the underlying problems, are they interested, would that not make them redundant.
We all know the fixes but we just keep taking the scripts, paying their fees while listening to their expert opinion of how great they are, you are obviously smitten by them.
40 Years later and none of them have handed the solutions just the ongoing same old, same old.
Here we have a new technology that has listen to the problems and trying to take the hard road to fix the underlying problems so we can get of the scripts of plugging holes to create the foundation of where the internet should have started and today there may not be people and their families having their personal information and life savings stolen.
We endure the bullying by the internet companies that tell us how we will do things, what we should expect and how it will be.
Bring on the old onto a new system does not make sense to me and they do not understand that under this new system we will not need their scripts to hide the symptoms and they will not be needed, like many things in life, things come and they go as will fiat currencies, in my opinion, so will many of the greats of today.
It’s a bit of a stretch to hold one foundation with mostly volunteers accountable for the state of web security. This discussion seems to be going a bit off topic but I understand your frustration that companies have chosen to neglect security for the sake of profit and time to market.
If local gatherings, organized by OWASP, can bring the right people together to share information on web3 security we should embrace it. Tools to easily conduct security tests on canisters are more than welcome.
2 Likes
Life is short, try to ignore Id ot’s
If you go to a user’s profile you can mute them and then their posts will be hidden