Dev-Talk #3 Liz Steininger: Decoding Web3 Security & Privacy
How to distinguish a good auditing company from a bad one?
What if an auditor intentionally withholds bug info found in an audit?
In this talk with Liz Steininger, we cover the importance of security audits in the blockchain and web3 space, the shifting landscape of blockchain auditing, and more!
Liz Steininger is an experienced entrepreneur with over 6 years as the CEO of Least Authority, where she has grown the company to be a leading Security Auditing firm and builder of privacy enhancing technology products. She has over 22 years of experience in the tech industry working as a Project Manager, Program Manager and Analyst on numerous open source projects in both private companies and public organizations.
Dev-Talks is hosted by HaCKBee (Discord link), where we chat with blockchain developers, tech enthusiasts, and experts, uncovering the latest in blockchain technology, innovation, and tech trends through engaging conversations.
Transparency and Privacy Advocacy: From Nonprofit Support for Open-Source to Security Auditing
Liz, CEO of Lease Authority, shares her journey into the space, beginning at Open Technology Fund, a nonprofit that received government funding to support open-source projects advancing internet freedom. Later, she became involved with Lease Authority.
Involvement in the early stages of the Signal, an encrypted instant messaging application
Interconnectedness of privacy and security, particularly in communication tools.
Lease Authority is on a mission to advance technology for privacy through security, with a team of 30, including researchers and engineers.
Challenges and Strategies for Privacy-Enhancing Technologies
Evolution of awareness regarding privacy, shifting from being less prominent to gaining significance over time.
Understanding the challenges of convincing people to change their habits and prioritize privacy in their day-to-day lives.
Exploration of whether the adoption of privacy-enhancing technologies will naturally grow over time or require active promotion.
Acknowledgment that there is no single solution to privacy adoption, with a need for a combination of regulation, improved tools, and different business models.
Navigate Security Audits for Diverse Blockchain Projects
Despite project diversity, fundamental security principles remain consistent.
Utilizing a team with diverse backgrounds and skills to effectively address the unique challenges of each project.
Audits in Web3 VS in Web2: Different Trust Models, Ethos, and Business Values
Ethos and necessity in Web3 emphasizing decentralization, privacy, and transparency.
Trust model shift from centralized entities in web2 to technology itself in web3.
Importance of open source code and publishing audits in the web3 ecosystem.
Evolving Landscape of Security Audits in Blockchain
Audits are now seen as marketing tools by many companies, but they should be more than just a checkmark.
Industry needs to find ways to educate users about security audits beyond just a pass/fail result.
Audit firms should take responsibility for missed vulnerabilities in audited projects, potentially financially.
Auditing companies may learn from other industries, such as insurance companies, and their approaches of handling risks, with potential collaboration to align incentives and avoid conflicts of interest
Acknowledgment of the complexity of audit reports and the challenge of making this information understandable for everyday users.
Q&A
Should an auditing firm take (some) responsibility if the audited project is exploited later?
How to tell a good auditing firm from a bad one?
What if an auditor intentionally withholds information about bugs found during an audit?
Do you find yourself leaning towards a particular blockchain architecture?
What's your experience in managing a globally remote team? How to keep the team connected?
Any L2 projects on LA‘s audit list? What's your definition of L2? Can Stacks be considered in this category?
How do you approach incremental or continuous auditing? How is the process?
What features or practices would you like to see more, or less, in the realm of blockchain auditing?
Any cool cryptographic ideas or tools you find intriguing?