Yesterday the Cloud Security Alliance (CSA) published a security report on enterprise blockchain Corda. In developing the paper, the researchers assessed a common Corda use case for trade finance. On the whole, the conclusion about Corda’s security was very positive.
However, when developing an application (dApp) and managing a network, there’s scope to introduce security vulnerabilities. The paper outlines how to identify and prevent these issues, and the CSA also provided a separate security checklist.
“Our aim when drafting this paper was to bring security and risk management leaders new to Corda DLT implementations quickly up to speed with respect to associated organizational risks,” said Bill Izzo, chair of the Blockchain/DLT Working Group.
The report starts by saying that “Corda Enterprise 4.8 was found to be natively Secure by Design and Default when it came to trade finance business logic and data confidentiality and privacy.”
However, whether or not the application and network are secure is down to the human being who implements it. In the trade finance use case tested, the researchers found 13 potentially high impact vulnerabilities of medium likelihood. Some threats come from insiders that compromise the system, others from hackers or criminal groups.
Of the 13 identified vulnerabilities, five related to network identity and access management and another five to flaws in the business logic or design of the dApp.
The paper also provided a list of steps to guard against some key issues. For example, which activities should be logged, how to analyze the logs and what alerts to send to detect whether the system is compromised. But more importantly, it lists the steps to prevent the issues arising in the first place.
Six months ago, the CSA published a similar review for Hyperledger Fabric. The reports are produced by the CSA Blockchain/Distributed Ledger Working Group.
Meanwhile, last year, a whitepaper on DLT security standards was published by the DTCC, the organization responsible for the settlement of quadrillions in dollars of security transactions every year.