How to Prepare for a Security Audit

CertiK | May 17, 2021

How to Prepare for a Security Audit

Security audits have cemented themselves as a necessary tool in the arsenal of every type of blockchain-based project when it comes to securing their protocol and, importantly, their user’s funds.

With the total value locked in DeFi alone exceeding $45 billion dollars in February of ‘21 it’s no surprise that we’ve seen the demand for smart contract security audits and penetration tests rise in parallel.

To prepare for an efficient security audit there are a number of best practices the security team here at CertiK recommends.

Outlining the Scope of your Audit and your Goal(s)

First things first, let’s ask ourselves two questions:

What will be audited?

How will the audit be performed?

Your responses to these questions will serve as the foundation for your audit moving forward. If your smart contract is being audited, do the full set of files require an audit, or only essential and unique functions? When it comes to penetration testing; whitebox or blackbox?

During the initial scoping call with the CertiK auditing team we’ll be discussing the following with our client:

  • Which module(s) is/are the most critical to your system?
  • What is the primary goal of this security audit/pentest?
  • Are there any particular attack scenarios you’re concerned with?

With your responses in hand, our dedicated team of security professionals will set to work designing a testing strategy and plan which targets the discussed areas, ensures optimization of resources, and, first and foremost, meets your needs.

Comprehensive Documentation

The first place any developer heads to when looking to understand a project is the documentation, and this is echoed with our auditing team, too.

A fundamental understanding of the architecture and design of the system enables our team to conduct an efficient deep dive into the codebase set to be audited. Documentation should be clear, comprehensive, and aim to explain how their systems work. It’s important this documentation is accurate, readable, and up to date in order to ensure the auditors can understand the intention behind the code.

Check out our ‘must-haves’ when it comes to documentation:

READ ME

Typically the first file someone looking to learn more about a project or repository opens. A text file containing essential information including the project description, as well as build and run instructions. Since the READ ME is often destination number 1 when checking out a project, it’s important to keep this clean and detailed in order to provide an excellent first impression.

Technical Document

An overview of the systems, the problem the project aims to solve, and the intended functionalities of the system’s components.

Code Comments

The basis of best practice when it comes to writing code. Ensuring your code is properly commented will assist the auditor in understanding the goals of the code as well as highlighting any potential problems it may contain. Code comments expedite and assist in the facilitation of the audit.

Quality of Code

Quality code can assist in ensuring an efficient audit. With a high-quality codebase, our auditors can focus on the code itself, rather than being preoccupied with attempting to uncover the meaning behind a particular code piece. Best practices for quality code include:

Style Consistency

Enforcing a consistent style of code allows auditors to rapidly understand the functionality of the code. To achieve consistency, it’s recommended to use linters to help analyze source code and flag programming errors, bugs, stylistic errors, and suspicious constructs. Developers can run a linter against the code to fix errors and such warnings.

Dispose of Redundant Code

As the development process ticks on, some snippets of code may become deprecated. For the developers writing the code the deprecated areas may be obvious, however, when it comes to an audit it may not be so clear for our auditing team. Disposal of redundant code and comments will prevent auditors from focusing on irrelevant details.

Leverage Dependencies which are Trusted and Up-to-Date

The pre-existing plethora of existing libraries which are pre-audited can, and should, be utilized when it comes to developing smart contracts or applications. Not only will this ensure more efficient code development, it will mitigate the risk of security issues arising.

However,the development world is fast-changing and ever-evolving, so do be vigilant when it comes to the security of your dependencies. Furthermore, assuring those dependencies and libraries are up-to-date is essential.

Testing: Round 1

Prior to the audit, please ensure that the code compiles and executes without error and performs as expected. This will assist in expediting the auditing process.

We implore you, our clients, to create unit tests to cover all functionalities of the system. Consider edge cases and error handling when developing these. Following this, the next step in the process is to create additional tests which target multiple components whilst considering and covering potential use cases from a more top-tier level. Always update the unit tests when the code is updated to ensure compatibility.

The testing process should be documented throughout. That includes test cases, the test plan, scenarios, and traceability matrix This will enable our auditors to develop a deeper understanding of your systems through detailed and thorough unit tests and relevant testing documentation.

Line up the Testing Target

Our auditing team requires a testing target to work on; typically this comes in the form of the smart contract which is undergoing the audit. When it comes to this aspect of the auditing process, clients are advised to:

Specify the Commit Hash

This enables our auditing team to ensure they’re auditing the appropriate codebase.

Please submit code that is ready, rather than code that is under development.

Deploy a Stable Testing Environment

If you’re seeking a pentest then it’s essential that you host the application to enable our pentesting team to conduct their analysis and tests. A stable testing environment will enable an efficient pentest, whereas an unstable environment with server issues can vastly hinder the timeline and overall process.

Ready to Secure your Project?

By following our preparation guide above you’ve already set your project or codebase up to be in an excellent position to undergo a quality, effective, and efficient security audit. In the blockchain and DeFi space, a security audit is now considered a security standard. Undergoing an audit will serve to protect your project, your community, and provide an additional layer of integrity to your codebase.

If you’re ready to get started then fly over to CertiK.io to request a quote. As soon as you’ve submitted the form one of our team members will reach out to you in due course.

Alternatively, drop an email over to bd@certik.io for more information.