| title | What if I do a Security Review and the protocol gets hacked? |
|---|
Follow along with this video:
As the world moves towards a more digital infrastructure, the importance of security audits cannot be overstated. But who carries the blame when these audits fail? Should it always land at the feet of those responsible for conducting the audit?
While broaching upon this intricate subject, I recently had a pleasant chat with the legendary Tincho, who imparted an inspiring perspective. He offers valuable insights on the way we should perceive the role and responsibilities of auditors in these precarious scenarios. Below will be summaries based on his thoughts and perspective.
In the eyes of many, the fundamental purpose of a security audit is to identify and rectify the most critical vulnerabilities in a system. However, Tincho encourages us to look beyond this simplistic view.
Auditors should provide value, regardless of whether or not they spot critical issues.
In other words, an auditor's value doesn't solely rest upon their ability to find vulnerabilities. Instead, their advice should strengthen the overall security protocol and offer pragmatic solutions for future scenarios.
Of course, it goes without saying that the fewer critical vulnerabilities that are overlooked, the better - the safer Ethereum will be. It's naive however to believe that an auditor is solely responsible for when things go wrong.
The notion of finding a scapegoat when a system is exploited is a regressive one.
A whole chain of events leads to the successful exploitation of a vulnerability.
Attributing the failure of a system to an auditor's incompetency is simplistic and misguided. If a vulnerability was missed, it means it slipped past numerous stages of checks and balances, of which an audit is just one. When a flaw goes unnoticed for as long as four months, there are perhaps lapses in system monitoring and in many other security parameters.
So, what should an auditor do if a protocol they've reviewed ends up compromised? The answer is that a responsible security partner should not abandon their client in the midst of a crisis.
As an auditor, you may be able to help mitigate the damage, restrict the scope of the attack, and possibly identify the hackers. A quality auditor must be there, lending their expertise, during the inevitable chaos that ensues after a breach.
"If you are to be the trusted security partner of your clients, probably, when they are hacked, you want to be there. You want to be there supporting them." - Tincho
Security is a journey.
It was great catching up with Tincho, whose outlook on security audits balances realism with the optimistic pursuit of improvement. Every party involved in a security protocol must work together as a team and learn from any failure to ensure a safer, more secure digital environment.