Project Management Best Practices Checklist
Classification: Restricted
Stage: Publication stage (60)
Introduction:
The Web3 Security Framework Initiative is a collaborative effort to promote the adoption of best practices in web3 security. The initiative aims to minimize the risks associated with security vulnerabilities and hacks, which have become increasingly prevalent in the web3 space. Moreover, projects that demonstrate full compliance with our rigorous guidelines will earn an on-chain certificate recognized by all the AvengerDAO members on the BNB Chain ecosystem.
This document serves as a comprehensive checklist of the critical elements surrounding the web3 project management best practices.
| Item ID | Security Check | Criticality | Is Project Compliant? | Comments |
|---|---|---|---|---|
| 1 | Technology Selection | |||
| 1.1 | Certify the list of solutions the decentralized application is allowed to integrate and keep track of any vulnerability that might be detected. | High | ||
| 1.2 | Ensure the separation of roles in Web applications. The backend handles processing, external communication, key management, and integration, while the frontend displays data and manages user interactions. This separation improves efficiency, debugging, security, scalability, and supports multiple platforms, boosting development, protection, and adaptability. | Medium | ||
| 1.3 | Certification of a remediation plan for issues with Infrastructure, oracles, bridges, tech providers, etc. | High | ||
| 2 | Development Lifecycle | |||
| 2.1 | Design | |||
| 2.1.1 | Formally define the business case and the technical solution to address the problem to be solved. | High | ||
| 2.2 | Development | |||
| 2.2.1 | Ensure there are processes in place to track vulnerabilities in external dependencies. | High | ||
| 2.3 | Testing and Validation | |||
| 2.3.1 | Several testing strategies should be in place (unit testing, integration testing, regression testing as well as stress testing) in addition to web3 specific security testing including static and dynamic code analysis, fuzzing testing and formal verification on all business-critical scenarios. Such scenarios should be clearly documented and results should be validated in the project development lifecycle before the production release. | High | ||
| 2.3.2 | Stress testing scenarios [non-exhaustive]: Adverse market conditions, Adverse token price fluctuations, Issues with key inputs (eg. oracle pricing going offline, etc.), Edge-case/extreme event situations etc. Assess the impact on the project, other projects, and the overall ecosystem of these stress-testing scenarios. | High | ||
| 2.4 | Continuous Integration | |||
| 2.4.1 | Ensure continuous integration pipelines are in place and perform the unit, integration tests. | High | ||
| 2.4.2 | Make certain that the continuous integration process incorporates rigorous security tests. Include techniques such as Static and Dynamic Application Security Testing (SAST & DAST), Interactive Application Security Testing (IAST), and regular Security Scanning. Utilize a selection of these methods to ensure maximum efficiency and efficacy of the security inspections. | High | ||
| 2.5 | Deployment | |||
| 2.5.1 | Certify the correctness of the deployment scripts and that they include automatic publication (verification) of the smart contract code on the blockchain explorer. | High | ||
| 2.5.2 | Make certain to validate the source code for smart contracts on the appropriate blockchain explorers for the specific chain where projects are deployed. For example, when deploying on BSC, follow the guide for contract verification programmatically provided in this link. | Medium | ||
| 2.6 | Monitoring | |||
| 2.6.1 | Ensure the capacity of the project to monitor on-chain the project smart contract activity once the deployment is complete. | High | ||
| 2.6.2 | In case of an unexpected event such as funds being siphoned, an alert system should be triggered and the project's point of contact should be notified. | High | ||
| 3 | Decentralized Application | |||
| 3.1 | Web2 Stack | |||
| 3.1.1 | Infrastructure | |||
| 3.1.1.1 | Ensure operations guidelines for infrastructure management and incident response are in place. This could include examples such as emergency failover procedures, disaster recovery strategies, and incident triage process documentation. Reference or link to appropriate documentation and scenario-based solutions for managing common or high-impact issues. | High | ||
| 3.1.1.2 | Ensure the implementation of secure infrastructure security best practices.This includes practices such as adhering to the Principle of Least Privilege (PoLP), which limits user and system privileges to only what is necessary. Regularly patching and updating systems help safeguard against known vulnerabilities. Additional protective measures include implementing firewalls and Intrusion Detection/Prevention Systems to track and block suspicious network activity. Data encryption at rest and in transit is also essential to prevent unauthorized access. Furthermore, initiating multi-factor authentication (MFA) adds an extra layer of security access to systems. | High | ||
| 3.1.2 | Network | |||
| 3.1.2.1 | Ensure sufficient network security, using firewalls and DDoS attack prevention mechanisms. | High | ||
| 3.1.3 | Software Security | |||
| 3.1.3.1 | Ensure the security of frontend and backend applications using testing, and static and dynamic code analysis, and are free of any OWASP vulnerabilities. | High | ||
| 3.1.3.2 | Ensure RPC and API endpoints are properly configured and secured, via access control, authorization, and authentication. | High | ||
| 3.1.4 | Cryptographic Keys Secure Storage | |||
| 3.1.4.1 | Use secure means for storing cryptographic keys and seed phrases such as Hardware Security Modules and Key Management Services. | High | ||
| 3.1.5 | Secured Equipment | |||
| 3.1.5.1 | Establish a policy to guarantee that all personnel utilizes secure devices equipped with essential firewall and antivirus security measures. | High | ||
| 3.2 | CVEs and Tech Stack | |||
| 3.2.1 | Implement a procedure for regularly monitoring and addressing new Common Vulnerabilities and Exposures (CVEs) across the entire technology stack. | High | ||
| 3.3 | General Security | |||
| 3.3.1 | Establish mechanisms to ensure the protection and maintenance of service availability, confidentiality, and integrity through certifiable means. | High | ||
| 3.4 | Risk Management | |||
| 3.4.1 | Put in place a strategy to adhere to established industry standards, such as ISO 27001, NIST Cybersecurity Framework, etc. | High | ||
| 3.5 | Transaction signing | |||
| 3.5.1 | To reduce surface attacks on private keys and prevent their leakage, ensure that all project-related transactions and transactions generated for customer custodian wallet are signed offline. | High | ||
| 4 | Web3 Stack | |||
| 4.1 | Wallet interface | |||
| 4.1.1 | Ensure transactions appear clearly in the user's wallet prior to signing, ensuring readability and transparency, and preventing the signing of undesired transactions. Make certain the details of transactions, such as From address, To address, and Funds balance change, are clearly decipherable. Use wallet applications or 3rd party extensions that can render the transaction information in an understandable format. | High | ||
| 5 | Training | |||
| 5.1 | Implement a comprehensive training program to ensure that all personnel are regularly updated on the latest security concepts and best practices. The training program should identify the training needs and set clear learning goals. Develop actionable training content tailored specifically to staff roles and levels of experience. Choose an appropriate delivery method, such as online modules or in-person workshops, for the training content. Finally, implement the program and organize its logistics, ensuring easy access and a suitable schedule for all personnel. Evaluate outcomes regularly and adjust the program as needed to ensure continual learning and improvement. | High | ||
| 6 | Audit | |||
| 6.1 | To enhance the project security maturity, it is recommended to conduct periodic security audits with reputable security firms. As a guideline, carry out security audits quarterly, enlisting specialized firms like Trail of Bits, ConsenSys Diligence, or OpenZeppelin. The audit report should include an executive summary, the audit's scope, methodology deployed, a detailed report of findings ranked by their severity, as well as the conclusion. These reports help track the project’s security standing and ensure a constant framework for necessary enhancements. | High | ||
| 6.2 | Certify that all audit recommendations are implemented. To implement audit recommendations, start by reviewing and prioritizing them based on severity and impact on the platform's security. Assign measures to teams with clear understanding and timelines. Regularly monitor progress and troubleshoot roadblocks. Following implementation, reassess the platform's security to ensure all vulnerabilities are effectively addressed, thus maintaining consistent high security standards. | Critical | ||
| 7 | Tokens | |||
| 7.1 | Implement a mechanism for continuously monitoring the project liquidity, including the health of DEX liquidity pools and the security of the platforms where the token is traded, to ensure the viability and stability of the token economy. | High | ||
| 8 | External Parties | |||
| 8.1 | The list of dependencies of external projects should be clearly documented and updated over time. Eg: wrapped assets, vaults/farms, multi-protocol dependencies, libs (Openzeppelin) oracles (BNB, Chainlink), Dex for liquidity. This documentation needs to include the dependency's name, version, role, relevant links, and contact points. Regular updates to this document should be made every time there is an addition, removal or change in a dependency. Periodically reviewing this document for accuracy and any necessary updates or vulnerability checks is also crucial to maintain a clear and updated overview of the project's dependencies at all times. | High | ||
| 8.2 | Verify there are channels of communication existing with external parties and partners. Start by identifying who these entities are. Define the specific communication mediums used with each and ensure there are assigned points of contact for continuous management. Create a proactive and agreed-upon communication strategy for timely sharing of essential information. Regularly test these channels for their effectiveness, and adjust as necessary to maintain productive communication and collaborative relationships. | High | ||
| 8.3 | Projects should not only rely on notification and communication because of delays, it becomes fundamental they also monitor on-chain dependencies. Partners should be able to provide means to do so. | High | ||
| 9 | Change Management | |||
| 9.1 | Set firm guidelines for roles and responsibilities pertaining to the governance, management, and security of smart contracts, funds, and internal systems. This will aid in accountability and informed decision-making. Hold each person accountable for their roles to boost effective decision-making. Use monitoring utilities for performance tracking and activity logs, facilitating effectiveness evaluations. Tools can encompass security trackers, system monitors, and performance management systems. Such a strategy boosts operation optimization and effective decision-making by accurately defining, assigning, and overseeing each role. | High | ||
| 9.2 | Verify the existence of a process to make changes in a timely manner, with the chain of internal validation. | Medium | ||
| 9.3 | Additionally, establish a tested and reliable process for safely resolving production issues, enabling prompt corrective action to be taken with confidence, and following an internal chain of validation to ensure prompt and effective resolution. | High | ||
| 10 | Incident Response | |||
| 10.1 | Incident Response for External Causes | |||
| 10.1.1 | Verify that channels work both ways and that your project is aware of the means of communication of your external partner in case they suffer from an incident. | High | ||
| 10.1.2 | Certify that remediation protocols are in place in case external partners suffer severe business impact. eg: hack. | High | ||
| 10.2 | Incident Response for Internal Causes | |||
| 10.2.1 | Ensure that partners with critical dependencies are aware of your security processes and if they have to participate in the project's incident response activity. | High | ||
| 10.2.2 | Certify that internal teams and external dependencies have rehearsed incident response protocols, where they perform their expected role. | High | ||
| 10.2.3 | It is recommended for projects to put in place means for responding automatically to monitoring alerts of potential hacks to try to prevent an attack, without impacting the business.. | High | ||
| 10.3 | Communication | |||
| 10.3.1 | Ensure the existence of dedicated channels to communicate with the community and partners about unexpected events in a timely manner. | High | ||
| 11 | Post Incident | |||
| 11.1 | Certify the existence of a process for the establishment of a post-mortem following major unexpected events such as hacks, service unavailability, etc. The template commonly includes the following sections: 1) Event Overview: This includes details of when the incident occurred, the duration of the issue, and a brief summary of the event. 2) Impact Analysis: This section explains the overall impact of the event on the services, systems, or customers. 3) Timeline of Events: This is a detailed account of the incident from the moment it happened until it was resolved. It's important to document all the steps that were taken during this period. 4) Findings: This section can include logs, reports, or other data that shed light on the root cause of the incident. 5) Root Cause Analysis: This is a detailed analysis of why the event took place and the deficiencies that led to it. 6) Corrective Actions Taken: Here, list the immediate steps taken to mitigate the effects of the incident. 7) Preventive Measures and Recommendations: This is a crucial section that identifies actions that should be taken to prevent similar occurrences in the future. | High |