Request for Input: Securing the Zcash Ecosystem

We need to separate privacy from security in this conversation.

Security is not all about testing. In fact, security testing is pretty useless to make software secure (odd thing to say about my own job, but it is true)

This post is about security specifically.

You can only get secure software from secure design and defensive/secure coding. Security testing is meant to verify this has been done.

I think @zebambam put it best with this entire post. I dont want to quote it all, but please read it again. - Application for Major Grants Review Committee - #41 by zebambam

Security has to start with Security Engineering and Security Research, the whole time being supported by Security test. - I have a few ideas, zcash is in a slightly different and much better position than most.

Ive been trying for ages. Hopefully you will have more luck. (in fact I think i had a massive whine about it - not like me, huh.

Also this:

@holmesworcester may I suggest that whoever is in on those calls/comms has at least one person who knows about these types of companies, testing and reporting and can speak the same language.

This is in very early stages, but I would like to see a zcash test dept, that covers this sort of thing as well as milestones, signoff on features, test plans, test cases, etc. I am not sure of the logistics of this yet.

Other companies - Yes, contact me via PM. I dont want to advertise companies I dont work with or dox the ones I do.

Thinking more on this makes me think we need to do this ourselves (the finding the right companies) - bambams post I linked reminded me of a few conversations.

If we give XYZ company who does do crypto and other pentesting the jb of finding pentest teams and specialists, we are just going to pay 3 times for contractors. we want to be establishing long term knowledge if possible.

We have at least two “internal” development teams and no “internal” test team. - who does the testing out of interest?

kinda, its saying you cant retrofit security and if it wasnt developed with security in mind and constant minor security tests (Alongside the normal unit test ) you will spend a lot of money and have made nothing secure

It feels (not specifically you) that people think security is a testing job - whilst testers imho make the best researchers they dont make the best security engineers.

When I keep referencing “Requirements based testing” thats because it is the only way to have accountability - but its a nightmare for dev teams. and we want to be agile, and work with as many teams as possible, so it would, imho be a full time job working and testing (remember at this point all testing is security testing) and then using that to develop a software design plan that can be scrutinised by 3rd parties. (note, document not program). and worked into test cases, unit tests, test plans and milestone signoffs.

oh and you can automate a lot of this. so maybe before approaching someone like NCC, sit and have a private voice chat with myself, bambam and earthrise (if they are willing).

What does the new @ZcashGrants think about this idea?

Is it something you are still interested in following up on? I am, and I am pretty sure @earthrise is too.

Id be happy to help get the ball rolling.

Thank you for following up on this grant idea from last year.

We will discuss it at our biweekly meeting next week and come back to you.

Thanks for bumping up the need for security/pentest/review of ecosystem projects like wallets, infrastructure, explorers, and zapps!

The @ZcashGrants team has itemized and prioritized several RFPs such as this one. We plan to discuss and contract out the works to security experts possibly after the NU5 upgrade to make sure the updated software in the Zcash ecosystem is compliant on all fronts.