Skip to main content

Project Management

Classification: Restricted

Stage: Enquiry stage (40)

Introduction:

The Web3 Security Framework Initiative is a collaborative effort to promote the adoption of best practices in web3 security. The initiative aims to minimize the risks associated with security vulnerabilities and hacks, which have become increasingly prevalent in the web3 space. Moreover, projects that demonstrate full compliance with our rigorous guidelines will earn an on-chain certificate recognized by all the AvengerDAO members on the BNB Chain ecosystem.

This document serves as a comprehensive checklist of the critical elements surrounding the web3 project management best practices.

Item IDSecurity CheckCriticalityIs Project Compliant?Comments
1Technology Selection
1.1Certify the list of solutions the decentralized application is allowed to integrate and keep track of any vulnerability that might be detected.TBD
1.2Ensure the separation of roles of your Web application, most processing, external communication, management of keys, and solution integration should be done in the backend application, leaving the frontend for displaying backend data and managing user interaction and inputs.TBD
1.3Certification of a remediation plan for issues with Infrastructure, oracles, bridges, tech providers, etc.TBD
2Development Lifecycle
2.1Design
2.1.1Formally define the business case and the technical solution to address the problem to be solved.TBD
2.2Development
2.2.1Ensure there are processes in place to track vulnerabilities in external dependencies.TBD
2.3Testing and Validation
2.3.1Several testing strategies should be in place (unit testing, integration testing, regression testing as well as stress testing), at least for the business-critical scenarios. Such scenarios should be clearly documented and results should be validated in the project development lifecycle before the production release.TBD
2.3.2Stress testing scenarios [non-exhaustive]: Adverse market conditions, Adverse token price fluctuations, Issues with key inputs (eg. oracle pricing going offline, etc.), Edge-case/extreme event situations etc. Assess the impact on the project, other projects, and the overall ecosystem of these stress-testing scenarios.TBD
2.4Continuous Integration
2.4.1Ensure continuous integration pipelines are in place and perform the unit and integration tests.TBD
2.4.2Ensure security tests are also part of the continuous integration process.TBD
2.5Deployment
2.5.1Certify the correctness of the deployment scripts.TBD
2.5.2Verify smart contracts on blockchain explorers for the specific chain the projects are being deployed.TBD
2.6Monitoring
2.6.1Ensure the capacity of the project to monitor on-chain the project smart contract activity once the deployment is complete.TBD
2.6.2In case of an unexpected event such as funds being siphoned, an alert system should be triggered and the project point of contact should be notified.TBD
3Decentralized Application
3.1Web2 Stack
3.1.1Infrastructure
3.1.1.1Ensure operations guidelines are in place for infrastructure management and incident response.TBD
3.1.1.2Ensure the implementation of secure infrastructure security best practices.TBD
3.1.2Network
3.1.2.1Ensure network security thanks to firewalls and DDoS attack prevention mechanisms.TBD
3.1.3Software Security
3.1.3.1Ensure the security of frontend and backend applications using testing, and static and dynamic code analysis, and are free of any OWASP vulnerabilities.TBD
3.1.3.2Ensure RPC and API endpoints are properly configured and secured, via access control, authorization, and authentication.TBD
3.1.4Cryptographic Keys Secure Storage
3.1.4.1Use secure means for storing cryptographic keys and seed phrases such as Hardware Security Modules and Key Management Services.TBD
3.1.5Secured Equipment
3.1.5.1Establish a policy to guarantee that all personnel utilizes secure devices equipped with essential firewall and antivirus security measures.TBD
3.2CVEs and Tech Stack
3.2.1Implement a procedure for regularly monitoring and addressing new Common Vulnerabilities and Exposures (CVEs) across the entire technology stack.TBD
3.3General Security
3.3.1Establish mechanisms to ensure the protection and maintenance of service availability, confidentiality, and integrity through certifiable means.TBD
3.4Risk Management
3.4.1Put in place a strategy to adhere to established industry standards, such as ISO 27001, NIST Cybersecurity Framework, etc.TBD
3.5Transaction signing
3.5.1To reduce surface attacks on private keys and prevent their leakage, ensure that all project-related transactions and transactions generated for customer custodian wallet are signed offline.TBD
4Web3 Stack
4.1Wallet interface
4.1.1Ensure transactions appear clearly in the user's wallet prior to signing, ensuring readability and transparency, and preventing the signing of undesired transactions.TBD
5Training
5.1Implement a comprehensive training program to ensure that all personnel is regularly updated on the latest security concepts and best practices.TBD
6Audit
6.1To enhance the project security maturity, it is recommended to conduct periodic security audits with reputable security firms.TBD
6.2Certify that all audit recommendations are implemented.TBD
7Tokens
7.1Implement a mechanism for continuously monitoring the projected liquidity, including the health of DEX liquidity pools and the security of the platforms where the token is traded, to ensure the viability and stability of the token economy.TBD
8External Parties
8.1The list of dependencies of external projects should be clearly documented and updated over time. Eg: wrapped assets, vaults/farms, multi-protocol dependencies, libs (Openzeppelin) oracles (BNB, Chainlink), Dex for liquidity.TBD
8.2Verify there are channels of communication existing with external parties and partners.TBD
8.3Projects should not only rely on notification and communication because of delays, it becomes fundamental they also monitor on-chain dependencies. Partners should be able to provide means to do so.TBD
9Change Management
9.1Establish clear definitions for roles and responsibilities regarding the governance, management, and security of smart contracts, funds, and internal systems to ensure accountability and effective decision-making.TBD
9.2It is common to find unexpected behaviors in a piece of software, and verify the existence of a process to make changes in a timely manner, with the chain of internal validation.TBD
9.3Additionally, establish a tested and reliable process for safely resolving production issues, enabling prompt corrective action to be taken with confidence, and following an internal chain of validation to ensure prompt and effective resolution.TBD
10Incident Response
10.1Incident Response for External Causes
10.1.1Verify that channels work both ways and that your project is aware of the means of communication of your external partner in case they suffer from an incident.TBD
10.1.2Certify that remediation protocols are in place in case external partners suffer severe business impact. eg: hack.TBD
10.2Incident Response for Internal Causes
10.2.1Ensure that partners with critical dependencies are aware of your security processes and if they have to participate in the project's incident response activity.TBD
10.2.2Certify that internal teams and external dependencies have rehearsed incident response protocols, where they perform their expected role.TBD
10.2.3It recommends projects that have the means to stop an attack and fix the issue without impacting the business.TBD
10.3Communication
10.3.1Ensure the existence of dedicated channels to communicate with the community and partners about unexpected events in a timely manner.TBD
11Post Incident
11.1Certify the existence of a process for the establishment of a post-mortem following major unexpected events such as hacks, service unavailability, etc.TBD