the_lightwriter - Fotolia
Blockchain has been high up on the hype cycle at major infosec events like RSA Conference in recent years, but there are realistic uses and risks that need to be considered.
Chris Wysopal, CTO of Veracode, based in Burlington, Mass., said blockchain has proven useful in certain instances, like cryptocurrency, but enterprises shouldn't believe the blockchain hype and expect the technology to magically make every product better. The value of blockchain is tied to its basic properties as an immutable, transparent, distributed ledger.
Additionally, Wysopal said blockchain risks are real and not completely different from basic cybersecurity issues found in other products.
Editor's note: This interview has been edited for clarity and length.
Why is there so much blockchain hype, especially in the infosec community?
Chris Wysopal: I think the hype is there because there are some really hard problems in computing that don't have nice, clean, elegant solutions that work in the real world. Some of those properties that the blockchain and distributed ledgers give you [are] transparency, immutability [and] utility for distributed actions to be taken and agreed upon. Those things are typically pretty hard to do well. Those are great building blocks and great features, so people got really excited about it.
The best example of what works on blockchain is cryptocurrency, because all those things -- immutability, distributed, transparency -- are all properties a cryptocurrency can take advantage of in a great way.
It seems like that's the phase that we're in now: How are we going to use this to solve real-world problems beyond cryptocurrency? There are going to be a lot of crazy ideas that people are going to try, but I think it's going to settle out, and there's going to be some other great application besides cryptocurrency.
Based on understanding how the technology works, it seems pretty easy to see how cryptocurrency or something like supply chain management work well on blockchain. What other realistic uses would blockchain have?
Wysopal: Supply chain is a gigantic problem. Every single business has the problem, and it's getting worse and worse over time as a problem to solve, because everything keeps getting more fragmented and more distributed and moving faster. If you could just solve the supply chain problems that every business has, that would be yet another huge thing as big as a cryptocurrency.
Anything that's a multi-party transaction that needs to have records kept over time is something that is very similar to cryptocurrency and is very similar to supply chain. [It's] things like land records, medical records, educational records, anything where a record is built up over time from multiple distributed parties. There's a huge amount of applications that do that, too. And all these things can be built without blockchain. The whole question is going to be if it can be built better with blockchain. And if it can be built better with blockchain, the better technology will always win.
Even though the marketing on the RSAC show floor has been a lot of blockchain hype in recent years, are we probably still in the middle of figuring out what is best for it?
Wysopal: Yes. An example I heard when I was getting pitches were things like wireless certification. To be certified as a pilot, you have to have these different physical tests. You have to have different medical tests. You have to have passed certain educational tests [and] gotten certain flight time. And these are all coming from multiple different parties. They were thinking, 'Let's just build a service around managing that, because right now it's a huge amount of paperwork.'
They're trying to keep a consistent record, and then the pilot moves to a new company, and all this stuff has to be transferred. The idea that you could have a blockchain just for certification for a profession that requires a lot of multiple parties to be trusted as you operate feels like something that [could be done] much better with a blockchain solution than SharePoint, for instance, which might be the way people are doing it now. Scanning documents in and, you know, people have different roles and permissions.
I think there [are] a lot of enterprise-class apps that are going to be able to take advantage of it. It's not going to be as revolutionary and as exciting as cryptocurrency, but it will be evolutionary. It makes enterprise apps much better.
Do you have to actually fork the entire blockchain in order to do a security update?
Wysopal: It depends. It's something that I don't think you'll always have to do. But sometimes it's better to, instead of adding features to fork it so that some people who don't want those features or don't want things to change can keep using the old version. And one of the reasons for that is the idea of consensus. You have to have everyone who is operating on a blockchain all agree to everything.
And if it's a large percentage of people who don't agree, what you can do is you can fork and say, 'OK, well, if you don't agree with the direction we're going and you don't have to come with us, you can keep doing things the way you used to do them.' And so, it's not always that way.
If you got a group of smart contracts out there that won't work anymore, instead of saying, 'OK, well, you guys got to do this work to make your smart contract work with the new environment,' you just say, 'If you guys don't want to do that work, you don't have to. You can stay in the old environment. If you want to do the work, then you can move your contract over to the new fork.'
If you think about it [as] a smart contract, once it's put on the blockchain, it's supposed to run forever. But forever is an extremely long time in the software world. That's the theory behind these things. The blockchains from the genesis block on will always exist. If you write a smart contract and put it on the blockchain, it will always run. And so, if you make changes that break something, you have to fork.
Even if it leaves people at risk?
Wysopal: Well, they're sort of making the choice to stay at risk if they don't come along with fork.
On the idea of blockchain risks, the 51% attack -- where an attacker attempts to take over a blockchain by controlling 51% of the compute power -- is something that people mention. How difficult is that sort of thing? Does it depend on the size of the blockchain?
Wysopal: It depends on the size of the blockchain. We found the 51% attack on the legacy Ethereum after the first fork of Ethereum way back in [the summer of 2016]. When they first forked it, it left behind a smaller blockchain [Ethereum Classic], and that actually had a 51% attack [in January 2019]. Whenever you fork, the problem of it is the smaller one left behind, you're more susceptible to that.
And it's also a problem with new cryptocurrencies coming out when they're still small if somebody wants to put a lot of computing power against it. That's a major problem that organizations have to deal with.
Other than a 51% attack, what are the other security issues that people should be aware of with blockchain?
Wysopal: The problem that I see is people are focused on what it's solving and forget about the parts that it's not solving. That's why we see so many [cryptocurrency] exchange breaches. They're using smart contracts to manage their wallet, and the transactions are in the blockchain. But there's still a problem of someone, for example, checking account ownership, or someone leveraging software vulnerabilities in the exchange's website or in the endpoint that people managing the exchange are using or the developers are using.
What I see with blockchain apps is there's still all those other things you [have] to get right for every application. You need to write your code; you need to have a secure host that it's running on. You need to do password management correctly and have two-factor authentication.
When I look at the security problems of blockchain apps, sure, you could have flaws in your smart contract, and you should be auditing your smart contracts and things like that. But I first say, 'Is the environment that smart contract's running in or your blockchain is running in secure? Or, does it have sort of the same problems that have been endemic?'
SQL injection has been around for 20 years. Cross-site scripting, if it has a web interface, has been around for about 18 years. We know all the problems with DNS [domain name system] takeovers, endpoint takeovers and phishing. How do you solve those problems, too? Or, is it still vulnerable, but it's a blockchain app? That's what I advise people. Worry about all the same old problems, because blockchain typically doesn't solve all of those old problems. You obviously need to design your blockchain app correctly, but attackers are going to go after the simple stuff first.