Blockchain testing services
Blockchain technology is a decentralised and distributed ledger system that enables secure and transparent record-keeping of transactions across a network of computers. All components can and need to be tested for security vulnerabilities. Depending on what needs to be tested, different methodologies apply.
LRQA Nettitude stands out for its extensive experience, notably in source code review and application testing, a proficiency that is seamlessly extended to blockchain technologies.
LRQA Nettitude’s Blockchain testing service offering
Source code offering
A thorough examination of the smart contract’s source code is conducted to identify coding errors, security vulnerabilities, and potential issues. This involves checking the logic, data flow, and adherence to best practices. LRQA Nettitude utilises the following testing methodology for smart contracts:
Discovery phase
This initial phase involves understanding the functionality and interplay of smart contracts. We conduct in-depth Q&A sessions with developers to gain insights into the contract’s purpose and behaviour.
Static code review
We perform manual source code review to identify potential weaknesses and vulnerabilities. This includes examining the logic, data flow, and adherence to best practices. Additionally, we leverage automated static application security testing (SAST) tools to augment our analysis.
Dynamic code review
In this phase, we interact with the smart contract by executing unit and functionality testing scripts. We also develop proof-of-concepts and exploit code to assess the contract’s resilience to attack.
Fuzzing the smart contracts
We employ fuzzing techniques, including single and multi-transaction fuzzing, parameter fuzzing, invariant fuzzing, and differential testing, to identify potential vulnerabilities and weaknesses in the contract’s implementation
Steps two to four are concurrently executed, leveraging mutual benefits from one another.
Decentralised Application
A Decentralised Application (DApp) serves as the user-facing component, allowing end users to interact with the application in a decentralised network. It can manifest as a web application, a mobile app, or, in certain instances, a robust standalone application. At LRQA Nettitude, we employ a comprehensive testing approach to ensure the security and functionality of DApps across various components:
OWASP Top 10
We conduct OWASP Top 10 vulnerability assessments tailored to the decentralised environment, including Cross-Site Scripting (XSS), Cross-Origin Resource Sharing (CORS) issues, Cross-Site Request Forgery (CSRF), and others.
Wallet interactions
We rigorously test wallet interactions, including message signing processes, to ensure the integrity and security of transactions. This involves verifying cryptographic protocols and key management practices.
Third-party libraries & decentralised storage
We assess the security of third-party frameworks and libraries used in DApp development, as well as the robustness of decentralised storage solutions.
Mobile application testing
We evaluate the security of mobile DApp clients, focusing on authentication mechanisms, secure storage of sensitive data, and mitigation of weak random number generation (PRNG) vulnerabilities.
Backend testing
We assess the security of back-end and console applications that support DApp functionality, including API endpoints, server-side processing, and data validation mechanisms.
Infrastructure testing
Like any other software, blockchains depend on an underlying infrastructure for their operation. It may be a private blockchain or a service operating on a public blockchain. Each of these components also requires thorough testing. At LRQA Nettitude, we conduct thorough testing of various infrastructure components to identify vulnerabilities and ensure the integrity of blockchain systems. Our infrastructure testing encompasses the following key areas:
Node testing
We assess the security and reliability of individual blockchain nodes, including both full nodes and lightweight clients. This involves examining node configurations, verifying software versions, and conducting vulnerability assessments.
Network configuration review
We review network configurations, including peer-to-peer (P2P) connections, firewall settings, and network topology. This involves identifying misconfigurations, validating network segmentation, and assessing access controls. We can review the configuration for:
- Ethereum Clients: Geth, Besu, Nethermind
- Consensus Clients: Lighthouse, Prysm, Teku
External infrastructure testing
We conduct external infrastructure testing, including penetration testing of network nodes, vulnerability scanning of external-facing services, and review of firewall configurations. This involves simulating real-world attack scenarios to identify and remediate external-facing vulnerabilities.
Blockchain testing deliverables
LRQA Nettitude emphasises the importance of ensuring a thorough understanding of the engagement deliverables. LRQA Nettitude provides both a public-facing report and a private report for comprehensive transparency and confidentiality. The technical reports are presented as PDF documents featuring a thorough enumeration of issues categorised by their severity levels. Each finding comprises a concise summary, a detailed technical description of the problem, and recommendations for remediation. Furthermore, exploit codes and proof-of-concepts are provided alongside the reports for comprehensive understanding and validation of identified vulnerabilities.
Throughout the engagement, we maintain active communication with you and your developers to gain deeper insights into your specific needs. Upon conclusion of the engagement, a comprehensive debrief session is conducted to assist in the remediation process or to clarify any critical technical aspects. After addressing identified issues, you have the option to schedule a retest to verify that the corrections effectively remediate the issues and do not introduce any new ones.
The World Leader in CREST Accreditations
We are proud to be the only organisation in the world with a full suite of CREST accreditations.
(CREST – The Council of Registered Ethical Security Testers)
Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organisation to be CREST accredited for our Security Operation Centre services.
Blockchain testing services
Blockchain technology is a decentralised and distributed ledger system that enables secure and transparent record-keeping of transactions across a network of computers. All components can and need to be tested for security vulnerabilities. Depending on what needs to be tested, different methodologies apply.
LRQA Nettitude stands out for its extensive experience, notably in source code review and application testing, a proficiency that is seamlessly extended to blockchain technologies.
LRQA Nettitude’s Blockchain testing service offering
Source code offering
A thorough examination of the smart contract’s source code is conducted to identify coding errors, security vulnerabilities, and potential issues. This involves checking the logic, data flow, and adherence to best practices. LRQA Nettitude utilises the following testing methodology for smart contracts:
Discovery phase
This initial phase involves understanding the functionality and interplay of smart contracts. We conduct in-depth Q&A sessions with developers to gain insights into the contract’s purpose and behaviour.
Static code review
We perform manual source code review to identify potential weaknesses and vulnerabilities. This includes examining the logic, data flow, and adherence to best practices. Additionally, we leverage automated static application security testing (SAST) tools to augment our analysis.
Dynamic code review
In this phase, we interact with the smart contract by executing unit and functionality testing scripts. We also develop proof-of-concepts and exploit code to assess the contract’s resilience to attack.
Fuzzing the smart contracts
We employ fuzzing techniques, including single and multi-transaction fuzzing, parameter fuzzing, invariant fuzzing, and differential testing, to identify potential vulnerabilities and weaknesses in the contract’s implementation
Steps two to four are concurrently executed, leveraging mutual benefits from one another.
Decentralised Application
A Decentralised Application (DApp) serves as the user-facing component, allowing end users to interact with the application in a decentralised network. It can manifest as a web application, a mobile app, or, in certain instances, a robust standalone application. At LRQA Nettitude, we employ a comprehensive testing approach to ensure the security and functionality of DApps across various components:
OWASP Top 10
We conduct OWASP Top 10 vulnerability assessments tailored to the decentralised environment, including Cross-Site Scripting (XSS), Cross-Origin Resource Sharing (CORS) issues, Cross-Site Request Forgery (CSRF), and others.
Wallet interactions
We rigorously test wallet interactions, including message signing processes, to ensure the integrity and security of transactions. This involves verifying cryptographic protocols and key management practices.
Third-party libraries & decentralised storage
We assess the security of third-party frameworks and libraries used in DApp development, as well as the robustness of decentralised storage solutions.
Mobile application testing
We evaluate the security of mobile DApp clients, focusing on authentication mechanisms, secure storage of sensitive data, and mitigation of weak random number generation (PRNG) vulnerabilities.
Backend testing
We assess the security of back-end and console applications that support DApp functionality, including API endpoints, server-side processing, and data validation mechanisms.
Infrastructure testing
Like any other software, blockchains depend on an underlying infrastructure for their operation. It may be a private blockchain or a service operating on a public blockchain. Each of these components also requires thorough testing.
At LRQA Nettitude, we conduct thorough testing of various infrastructure components to identify vulnerabilities and ensure the integrity of blockchain systems. Our infrastructure testing encompasses the following key areas:
Node testing
We assess the security and reliability of individual blockchain nodes, including both full nodes and lightweight clients. This involves examining node configurations, verifying software versions, and conducting vulnerability assessments.
Network configuration review
We review network configurations, including peer-to-peer (P2P) connections, firewall settings, and network topology. This involves identifying misconfigurations, validating network segmentation, and assessing access controls. We can review the configuration for:
- Ethereum Clients: Geth, Besu, Nethermind
- Consensus Clients: Lighthouse, Prysm, Teku
External infrastructure testing
We conduct external infrastructure testing, including penetration testing of network nodes, vulnerability scanning of external-facing services, and review of firewall configurations. This involves simulating real-world attack scenarios to identify and remediate external-facing vulnerabilities.
Blockchain testing deliverables
LRQA Nettitude emphasises the importance of ensuring a thorough understanding of the engagement deliverables. LRQA Nettitude provides both a public-facing report and a private report for comprehensive transparency and confidentiality.
The technical reports are presented as PDF documents featuring a thorough enumeration of issues categorised by their severity levels.
Each finding comprises a concise summary, a detailed technical description of the problem, and recommendations for remediation. Furthermore, exploit codes and proof-of-concepts are provided alongside the reports for comprehensive understanding and validation of identified vulnerabilities.
Active communication throughout
Throughout the engagement, we maintain active communication with you and your developers to gain deeper insights into your specific needs.
Upon conclusion of the engagement, a comprehensive debrief session is conducted to assist in the remediation process or to clarify any critical technical aspects.
After addressing identified issues, you have the option to schedule a retest to verify that the corrections effectively remediate the issues and do not introduce any new ones.
The World Leader in CREST Accreditations
We are proud to be the only organisation in the world with a full suite of CREST accreditations (CREST – The Council of Registered Ethical Security Testers).
Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organisation to be CREST accredited for our Security Operation Centre services.
Protect your Organization with LRQA Nettitude’s
Award-Winning Cybersecurity Services
Speak to one of our cybersecurity experts now…
Protect your Organization with LRQA Nettitude’s Award-Winning Cybersecurity Services
Speak to one of our cybersecurity experts now…