Blockchain Security Series 14 - Frederik Svantes (Security research lead @ Ethereum Foundation)

Blockchain Security Series 14 - Frederik Svantes (Security research lead @ Ethereum Foundation)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)

Topics discussed:

- 00:00 - Intro

- 01:13 - How you started with computers and programming

- 02:41 - Working in Blizzard Entertainment

- 08:12 - Red and blue teams

- 14:19 - Incident response: What should web3 security learn from web2 industry?

- 18:57 - Planned and unplanned war rooms

- 22:58 - Communication mistakes during incident response

- 29:18 - Operational security

- 36:38 - Security awareness

- 39:19 - Social Engineering

- 42:51 - Role at Ethereum Foundation

- 45:38 - EF Bug Bounty Program

- 47:18 - Bounties for the execution and the consensus layer

- 49:01 - Most common types of vulnerabilities reported.

- 51:20 - Vulnerability disclosure process.

- 54:04 - Ethereum Protocol Attackathon with Immunefi.

- 59:39 - Blockchain monitoring and live threat detection.

- 01:01:46 - The future of the security in Ethereum: main challenges

- 01:06:29 - Balance between daily work and technical research

- 01:08:19 - Programming as a skill to be a blockchain security researcher?

- 01:12:16 - Favorite conferences and events

- 01:14:19 - Final thoughts

Summary:

In the 14th episode of the podcast, Fredrik Svantes, Security Research Lead at the Ethereum Foundation, shares his journey from his early days in computers and programming, through his time at Blizzard Entertainment, to his transition into the Ethereum ecosystem. In this discussion, he provides valuable insights into operational security within the blockchain space, emphasizing the crucial role of incident response, preparedness, and the growing need for security awareness and best practices.

Fredrik also explores the significance of social engineering in cybersecurity and outlines the key responsibilities of the protocol security team at the Ethereum Foundation. This team is dedicated to protecting the Ethereum network and ensuring effective coordination of security efforts across various client teams. Fredrik discusses the Ethereum bug bounty program, shedding light on the management challenges and highlighting common vulnerabilities reported, such as denial-of-service attacks. He underscores the importance of clear communication and transparency in the vulnerability disclosure process. Looking forward, Fredrik shares his perspective on the future of Ethereum’s security and the challenges the network will face as it continues to evolve.

Takeaways:

• He emphasizes the importance of incident response preparedness and conducting regular exercises to ensure a calm and effective response

• In the blockchain ecosystem, there is a need for increased focus on operational security, including securing front-ends, infrastructure, and private keys

• Security awareness and best practices should be tailored to specific roles and responsibilities within a project or organization. Social engineering is a critical aspect of cybersecurity.

• The protocol security team at the Ethereum Foundation focuses on ensuring the security of the Ethereum network and coordinating security between client teams.

• The bug bounty program is an essential part of vulnerability disclosure, and it helps identify and fix vulnerabilities in the Ethereum network.

• Communication in security and public disclosure are crucial in the vulnerability disclosure process, and the Ethereum Foundation follows a phased approach to disclosure.

• Blockchain monitoring and live threat detection are valuable tools in identifying and responding to security threats in the Ethereum ecosystem.

• The future of security in Ethereum lies in expanding the number of experts in protocol security and addressing the challenges posed by the evolving roadmap.

• Programming skills are not necessarily required to be a blockchain security researcher, but having an understanding of programming and the associated risks is important.