New Offering: 1-Day Security Reviews
Over the past few months, we have been conducting short “security reviews”, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they’re quite different. In this post, I’ll share what these engagements are like and why you might want to hire us for one.
Audits are often too late
A typical “audit” is a comprehensive review of code that’s about to ship. By the time we see the project, all the code has been written and tested, and the client team is ready to launch. See How to Prepare for a Smart Contract Audit for the way we typically think about those end-of-project audits.
Particularly as smart contract systems seem to be getting more complex over time, we’ve been encouraging clients to engage with us earlier in the project and on an ongoing basis. We believe that this saves time and money in the long run.
To use a physical analogy, if you’re building a house, you’d rather learn about problems in the foundation before you’ve built the rest of the house. If you learn about such problems at the very end of construction, they’re going to be extremely expensive to fix properly.
There are a multitude of ways we engage with clients early, but 1-day security reviews are a particularly useful tool. Such a review is an inexpensive way to discover fundamental issues early and have a chance to resolve them before it’s time for a full audit.
An inexpensive complement to an audit
Another way clients have started to use these brief security reviews is as an alternative to a full audit. These clients typically don’t have the budget for a full audit but want to do what they can to make their product secure. However, the Diligence team sees these reviews as a complement to the full audit process that should follow when the product is at a production-ready stage.
The word “audit” is a bit loaded, particularly in the blockchain space, which is why we avoided the term for this new offering. At a high-level, I tend to think of an audit as a way to assess risk. We certainly try to identify bugs during an audit, but the more important service we provide to developers is indicating the general overall safety of the system. For end users, an audit can give some sense of how safe it is to use the system.
Turning our attention back to the 1-day security review, one way to use that time is to do a similar but less comprehensive assessment. A skillful security engineer with careful prioritization can do a lot in even a limited amount of time.
Given their short timeframe, 1-day reviews are quite affordable. If a client then hires us for a full audit afterwards, we apply the fee for the 1-day review to the full audit. This model works because we believe that clients who undergo a 1-day review are much better prepared for a full audit, which makes the audit take less time and effort.
What is a “security review”?
Although the details vary depending on the client, when I conduct a 1-day security review, I typically use the following procedure:
- I start with a 1-hour call with the client. This is a chance for me to learn about what the system does, how the code is laid out, areas of particular concern, etc.
- I spend the next day reading code and taking notes. Often I find bugs, but the real emphasis is on looking for those fundamental concerns like issues in the design or unnecessary complexity in the implementation.
- The next day, I have another call with the client where I walk them through my observations and suggestions.
Unlike an audit, we usually just have a single security engineer reviewing the code. We also usually do not provide a formal report. (For examples of what full audit reports look like, see our list here.) This is because reports take time to write, and we like to spend as much of our time as possible working to the client and reading code.
What have we learned so far?
I’ve conducted a handful of 1-day reviews so far. Some have been as a preliminary review before later conducting a full audit, and others have been standalone engagements.
One thing I’ve learned from my experience thus far is that better prepared clients get a lot more out of the process. If you can quickly get me up to speed and deliver clear code with useful comments, I can really hit the ground running. The less time I spend getting my bearings, the more time I have to get deep into the implementation.
I’ve also learned that the highest value I can provide is at the level of fundamental design. If I spot a few bugs, that’s certainly valuable. But it pales in comparison to when I can point out a way to delete a lot of code or make an important security property more obvious. Those sort of fundamental improvements have wide ranging benefits, including making it easier and less expensive to maintain and audit the code in the future.
Interested in a 1-day security review for your project? Get in touch with us!