This is my personal view on what steps someone should take to get a grasp on “Web3 security” and also to have an appropraite mental framework for security in general. It is not meant to be comprehensive, but only to give you the tools to get a reasonable grasp of the landscape, so much so that you can make good personal decisions for yourself on where you’d like to go.
KERNEL Security presentation as an intro and mindset
I used to run the Security track of the KERNEL program, and a part of that curriculum was an introduction to the security landscape done by me. It is meant to teach people the general landscape of security within web3, a mental model for thinking about security in general, and some thoughts on how the Web3 security landscape is differentiated from the traditional one. The video can be found below along with the slides:
Secureum
If smart contract security and the Etehreum Virtual Machine (EVM) are your target, then you should start by going through the free and outstanding content created by Rajeev at Secureum [TOO ADD LINK LATER]. If your goal is to become an auditor, or of equal prowess as someone who can perform a security assessment, then this is most definately your first step. I would also say that if you are not capable of getting through a RAID after going through the material, then you should not ever consider yourself an auditor, or market yourself as one.
Disclosure: I previously worked with Rajeev at Status, and he left me (regretably) to pursue the creation of Secureum, which I encouraged. I was around at the beginning of Secureum and partially contributed to the review of the initial curriculum. I am also a mentor (mostly in name and not contribution at this point) to the program. I have never received any monetary benefits for my participation or “shilling” of the program, it’s just good and I admire that.
My main critique of the program is that it focuses only on Smart Contract security, and the landscape of security is much larger than that. The reasoning as to why is sound though: Rajeev is but one man and the breadth and continued maintenance work of just that field is expansive, especially considering the popularity of the program.
Next steps
Once you have proven to have strong understanding of the fundamentals of Solidity Smart Contracts and the EVM, then there are many routes that are possible to take. Secureum has mentors from across the entire industry that are eagerly waiting to snatch new and competent talent.
One of the great consequences of the openness of web3 is the creation and prevalence of high-value bug bounty programs. Companies who have software and contracts that need continuous monitoring will post their scope and associated payout information for found vulnerabilities and allow anyone to disclose what they find for profit (assuming it passes the bar of quality, severity, and reproduceability). Furthermore, these platforms will have regularly cadenced contests that can be participated in.
No only do these programs give you valueable experience in looking for real issues that affect companies today, but they also allow you to make real money (if you find things) and potentially boost your online persona and portfolio of experience to propel yourself into a new career move. It should be noted that this is a highly competitive field, and difficult. This should not be a “very easy thing” for most people, and will require a lot of work that doesn’t get paid out. Consider this education and training.
These programs include (in no particular order):
- Spearbit’s Cantina platform (Disclosure: I’m an advisor)
- Immunify
- Trail of Bits (??)
- Hacken
- Sherlock
- Tenderly
In short, join the communities of the people you aspire to be like and learn from them. This industry is incredibly accepting and helpful when genuine people seek help and encouragement.