🛡️

Security Best Practices for Web3 Businesses

Webinar Details

Date: 23/03/2023

Host: David Ding, Business Innovation Advisor at Callaghan Innovation

Guest: Marc Krisjanous, certified security auditor for Confide.

Video Length: 1:06:20

Summary

Marc Krisjanous, certified security auditor from Confide, a qualified security assessment company, discusses the most well known security standards relevant to industry such as:

ISO 27001/2

PCI DSS (Payment Card Industry Data Security Standard)

SOC 2 (Service Organisation Control Type 2)

CCSS (CryptoCurrency Security Standard)

Learn about the key methods for risk identification, access and key management, the auditing process and expert advice on how to secure your information and digital assets on Web3 platforms.

Transcript and Key Take Aways

‣

[00:00:00] Opening & Topic Intro

‣

[00:00:37] Slide 1 - Presentation overview & Marc Intro

‣

[00:02:26] Slide 2 - Web3 Security Risk and Threats

‣

[00:06:34] Slide 3 - What is Information Security?

‣

[00:09:53] Slide 4 - What is an Information Security Standard?

‣

[00:12:49] Slide 5 - Overview of Baseline Security Controls

‣

[00:15:47] Slide 6 - Overview of Baseline Security Controls - Cont.

‣

[00:18:10] Slide 7 - Certification versus Alignment

‣

[00:19:46] Slide 8 - Applying InfoSec to Web3. Is current InfoSec applicable to Web3?

‣

[00:24:21] Slide 9 - Web3 Components

‣

[00:26:28] Slide 10 - CCSS Overview

‣

[00:27:50] Slide 11 - Where CCSS Adds Value to Web3

‣

[00:28:19] Slide 12 - Signing a Transaction

‣

[00:28:36] Slide 13 - CCSS Aspects

‣

[00:30:17] Slide 14 - CCSS Aspects - Cont.

‣

[00:34:03] Slide 15 - CCSS Aspects - Cont.

‣

[00:35:53] Slide 16 - If I was building for Web3 I would...

‣

[00:39:08] Question - Regarding proof of reserves, what is the lens taken by CCSS in terms of ensuring off chain asset reserves from a security point of view?

‣

[00:42:21] Question - What would be the ideal entity from your perspective to be that use case?

‣

[00:43:42] The importance of incident response

‣

[00:49:55] Final summary of talk - end of presentation

‣

[00:51:05] Question #1 - How do you see the adoption of multi-party computation frameworks in the context of projects operating fully in the defi ecosystem?

‣

[00:54:04] Suggestions, concerns and questions are welcomed as feedback to be passed on to the CCSS committee

‣

[00:55:07] Question #2 - How should bug bounties be regarded - as full security audits or as a complimentary component?

‣

[00:58:07] Question #3 - Do you believe the framework administered by C4 is robust enough for a CBDC?

‣

[01:00:52] Question #4 - Where do you see the entry point for alignment and what tools are there for a bootstrapped Web3 organisation to align to InfoSec standards? Can you assist with that process?

‣

[01:05:08] Final comment and wrap-up