CertiK Wanxiang Summit Express: Web3 must have security

The 2023 Shanghai Blockchain International Week·Blockchain Global Summit hosted by Wanxiang Blockchain Lab opened today. Guests include Xiao Feng, Chairman of Wanxiang Blockchain, and Qiu Dagen, Member of the Legislative Council of the Hong Kong Special Administrative Region (Technology Innovation Circle) , Hong Kong Cyberport Management Co., Ltd. Chief Executive Officer Ren Jingxin, etc. **As the industry’s leading Web3 security agency, CertiK attended the summit’s “Web3 Cornerstone: Security and Privacy” roundtable discussion. **Professor Li Kang, Chief Security Officer of CertiK, actively discussed with representatives of other Web3 security institutions how to create a more secure Web3 future.

The following content is the transcript of Professor Li Kang’s roundtable speech:

host:

What do you think of the current development of the Web3 industry, and the positioning and significance of Web3 security and privacy in the development of the Web3 industry?

Professor Li Kang:

The entire Web3 industry is in its early stages, but it is also a development stage. For users, the usability of Web3 has huge room for improvement. Because the Web3 industry is still very fragmented, everyone is building in every corner and trying to develop a very wide range of popular applications, but it is still in the exploratory stage.

For developers, Web3 has entered a stage that is much better than it was five years ago. As a developer, there are now many platforms and tools available, and everyone is starting to build, and there is even a stage of competition among the best. For developers, it is not in the initial stage, but has already started.

**Our consensus is that Web3 must be secure. **If the decentralized form is not protected by security, there is no way for the public to use it. If there is no way to remove the fake and preserve the real, to separate high-quality projects from shoddy projects, and to separate safe projects from unsafe projects, the community cannot develop, so I think safety is a must.

host:

What do you think are the successful practical experiences and mature tracks for Web3 security and privacy? And how do you see the future development of these industries and tracks?

Professor Li Kang:

Other guests talked about this track from the perspective of user-driven and regulatory-driven, and I basically agree. I look at this track from another dimension. For example, from the life cycle of a project, audits are often done before the project goes online, and updates are also required after the project goes online. But the part before going online is the audit service track that is often done. Everyone recognizes that there is such a demand for this part. What value does it provide? Whether this track is good or not is another matter. There is also monitoring after going online. When the online project is running, what kind of transactions are performed? Is there any risk?

There is another track, which is the response after the incident occurs. CertiK also does this, helping you discover what’s going on and chasing money. There are different dimensions, including auditing before the project goes online, monitoring after the project goes online, and tracking and recovery after the incident.

host:

What do you think is the biggest current challenge to Web3 security and privacy? And how should these challenges be addressed?

Professor Li Kang:

There are many challenges, here are two.

First, we cannot blame users for their security awareness. The biggest challenge is the lack of security awareness among current Web3 developers. **Based on my personal understanding and experience, developers in major Web2 companies, whether domestic or overseas, attach great importance to security awareness. Going back 15 years, maybe developers can write programs without paying attention to safety, but now it is impossible in a large factory. Programmers who continue not to pay attention to safety development will find it difficult to be eliminated in a quarter in a large factory.

In Web3, many overseas developers are students who have just graduated (or even not graduated), and many people have changed careers. Overall development awareness and security awareness are very insufficient. To give another supporting example, Immunify recently released the top ten security issues they found on the bug bounty. The biggest problem is that there is no security check on program input. The development community needs to grow, so developers need to be security aware.

Secondly, both the managers and everyone on the project side have insufficient security awareness. For example, 80% of the projects that have had incidents on Rekt News have not been audited. I also strongly agree with the previous review. The *** audit mentioned by the guest may not necessarily solve all *** security issues. But doing it is far better than not doing it. ****

There are still some people in the ecosystem who think security is something that can be solved once and for all with just one product or service. If I buy your product or use our audit, it will be safe. He thinks of security as a one-time solution that can be solved simply by buying a product. This is no longer the case in Web2. Security is risk management and a long-term investment. **If you don’t change these two points, it will be difficult to move forward, so the two biggest challenges must be overcome.

You invest, but due to the asymmetry of attack and defense, hackers always have more advantages. Why do you need to be safe when you come back? Because safety does not mean that I can guarantee that the risk will be reduced to zero. Safety means that you can run faster than your competitors. If a bear is chasing you, you don’t necessarily have to run faster than the bear, but you must be faster than the competition. Opponents run faster, it’s a change in philosophy.

host:

What do you think is the relationship between the development of AI and Web3? What help and imagination does AI have for Web3 security and privacy?

Professor Li Kang:

First, the most discussed use of AI in security is to use AI methods to discover code security issues and help with audit work. This part has been discussed a lot, so I won’t go into it here.

Second, **AIGC may be a very promising direction in combination with Web3, but content ownership needs to be protected with blockchain, and the role of security is very important. **If the public believes that AI can generate data and combine it with Web3 content, security protection is very necessary.

host:

As a manager and technical leader, what kind of talents do you think Web3 security needs, and how should Web2 security practitioners enter the field of Web3 security?

Professor Li Kang:

If you are good at Web2 security, then go for it, because there are enough problems, and the opponents you encounter are the same as those in Web2. They used to attack you in Web2, but now they are in Web3. , so come on.

With the continuous development of Web3 technology, the security prospects of Web3 will receive more and more attention and attention. Although there are still many challenges to face, CertiK will continue to provide developers and users with a better security experience and promote the further development and popularization of the Web3 industry.