Picture this: you work at an enterprise, with a traditional IT organisation, mostly comprised to people that have been with the company for many years and manages lots of Personal and Non Personal Accounts on multiple platforms. There is this new thing called DevOps and it seems to match the Scrum methodology your developers like. So you decide to reorganize to DevOps. Some of your older employees don't want to make the transition with the attached challenges to the way they work and decide to take an early retirement This forces you to source some of the technical support functions to your offshore ventures in Eastern Europe. At the same time you want to make the new DevOps teams responsible for the entire stack, spreading the responsibility for account management to multiple teams. And after blinking twice you suddenly find you have several thousand of Non-Personal Accounts around that nobody seems to own or know what they are for. And nobody dares to delete them, because maybe you need them for some process that runs only once a year. Obviously this would never happen to you, right? But it happened to us and it could happen to you too!
In this talk, we explain how we drained the swamp and got back in control over our NPA's. It involves good old fashioned detective work, password vaults, smart repositories connecting different data sources, some automation and some bold decisions.
Key takeaways:
In recent years we have seen a great deal of attention to the topic of security analysis in smart contracts, especially those developed for the Ethereum blockchain. Hence, it seems there is an ever-growing demand for secure smart contracts to protect what could potentially be worth billions. In this work, I introduced Etherolic as a robust, scalable and efficient tool for performing precise security analysis on smart contracts. This tool works based on a successful combination of dynamic taint tracking (DTA) and concolic testing that allows users to analyze the bytecode of smart contracts being run on the Ethereum Virtual Machine. Therefore, Etherolic is not only able to identify a wide spectrum of vulnerabilities but also generates precise exploits to trigger unknown vulnerabilities in the contracts. In order to demonstrate the usefulness of the approach, I evaluated Etherolic on a crafted benchmark suite, comprising 12 real-world and synthetic contracts along with 98 safety features. The result of the evaluation reveals 204 hidden security violations in the benchmarks.