Development OpSec
Credentials in source code
Git repositories were reviewed to determine if any sensitive credentials were stored in source code, and if so, what the impact of any leaked credentials could be.
It was found during assessment that several sensitive secrets were stored in source code within Git repositories.
Cloud secret management
Credentials can be stored in secure cloud secret management which will prevent much of the issues that are caused by storing credentials in source code, as well as provide additional features like centralized and fine-grained access control, extensive audit logging, automatic secret rotation, and hardware-backed secure storage.
It was found during assessment that secure cloud secret management was in use.
Continuous Deployment
Continuous deployment can be used to enforce checks before anything hits production. Systems like GitHub actions can be used to run automated unit tests to ensure that all tests still pass. Security-based automation can also be implemented, for example to implement static code analysis scanning to help catch any security vulnerabilities that may have been implemented in the code.
It was found during assessment that continuous deployment is implemented across important repositories, but additional effort could be made towards security automation as well.
Code Review
Before any code is deployed, it must be reviewed by at least one other person. Doing so will help prevent any undesirable code from reaching production. Systems in GitHub or GitLab work well for code review, while third-party code review assessments are also invaluable to securing code.
It was found during assessment that code review is required within many code repositories, but not all.
Single sign on
Enforcing single sign on for organization users can aid in password security. The attack surface shrinks from several applications and services to a single password manager, making it much easier to manage.
At the time of our review, SSO was not enabled as mentioned in Discussion Point ref↗.
Personal OpSec
To aid in personal operational security assessment, key DexFi contacts were asked about individual habits to ensure they are following best practices. Of the following areas, DexFi contacts confirmed that all were appropriately followed.
Personal Security Hygiene
DexFi contacts were asked about habits including keeping software up to date and not clicking on random links. Performing either of these actions can result in breaches.
Password Managers and Multi-Factor Authentication
DexFi contacts were asked about behavior regarding password manager use, including which types and regarding configuration. Using secure password managers with hardware-based authentication devices or TOTP are considered best practices for keeping secure.
DexFi contacts were asked to confirm they were using secure, reputable email providers and also to ensure that their current mailboxes were not unknowingly being forwarded to unknown addresses. Additionally, enablement of multi-factor authentication on email accounts was also undergone by DexFi contacts.
Social Media Accounts
DexFi contacts were asked about configuration and habits around social media accounts or platforms such as Twitter, Telegram, or Discord. Care was taken to ensure that accounts met recommended security configurations, including secure multi-factor authentication, separation of work and personal accounts, and other platform-specific practices.
Web3 OpSec
Crypto
In addition to development and personal operational security, some attention was also paid to DexFi's Web3 operational security. Particularly, DexFi contacts were asked about their multisig setup, key backups, third-party custody, and wallets (hardware, mobile, or web). Ensuring that these aspects are following best practices helps greatly reduce risk.