Ever since the $1.4 billion ByBit / Safe hack earlier this year, there’s been a big wake up call in web3 security to its web2 security blind spot. Before that incident, traditional web2 security was viewed as obsolete, irrelevant, a nuisance, not a priority. But the compromise of a Safe developer’s laptop led to the compromise of an internal CI/CD pipeline, publication of a malicious frontend, and subsequence catastrophic financial impact.
Now we see vendors here and there popping up offering “vCISO” services. The problem? They don’t know anything about web2 security. I had a “vCISO” tell me recently they “don’t do web2 security.”
Come again?
Web3 sits on top of the web2 stack. If all you know is web3 then you are sitting on top of an iceberg ignoring 90% of your attack surface.
A couple of years ago I attended the DeFi Security Summit, and I chatted with a young smart contract auditor who introduced himself as a “web3 native security engineer”.
What does that mean, I asked?
They could not discuss internet security, TCP/IP, the OSI layer model (or its criticisms), cryptography, operating system security, browser security, or really anything other than Solidity application security. Oh, and this person proudly named the extremely large salary they made.
Now, web3 needs great smart contract auditors, and great code auditors more generally speaking. But you aren’t a “vCISO” is you “don’t do web2 security.” That’s like saying you’re a fractional CFO but don’t do accounts payable, or you’re a fractional General Counsel and you don’t do contracts. It’s ridiculous.
Do better. You may be an awesome, world-class code auditor or application security engineer. But the CISO job is a whole-of-company risk management function, including a vast array of web2 security components, not just web3 application security and its discontents.