Web3 has emerged as the popular term to describe a new version of the internet – one that will be built on blockchain networks, with decentralization and user control of data at the forefront.
It’s a concept that’s often presented as something that’s entirely new, as if there’s a very strict divide between it and the legacy “Web2” internet we’re so familiar with today. But in actual fact, the next generation of the internet remains firmly entrenched in its Web2 roots in many ways.
Web3 cannot get away from Web2, and it means that businesses are going to have to find a way to marry two very different approaches to security to ensure the safety of their users in the era of decentralization, says Charles Dray, Founder and CEO of the cybersecurity startup Resonance Security.
Dray’s company is building a full-stack cybersecurity suite that aims to integrate essential Web2 and Web3 security practices into a single platform, in order to protect companies against any and all threats that emerge, either from the existing internet or its future iteration. It’s an ambitious plan, perhaps, but it’s also one that’s necessary, as Dray points out that Web2 and Web3 generally take very different approaches to security.
“When we talk about Web3 security threats, these generally relate to the code in smart contracts,” Dray explains. But this focus on Web3 security means that other aspects of security are often forgotten, even though the foundations of Web3 dApps are built on legacy technologies.
Web3 Is Founded In Web2
Decentralized applications might run on blockchain, but they also still run on traditional servers, usually hosted in the cloud. What’s more, most dApps can still only be accessed via traditional web browsers, and their operators and developers who create and update those dApps are just as susceptible to Web2 hacking techniques (such as social engineering and phishing) as anyone else.
“It’s important to keep in mind that Web2 is still the foundation of Web3,” Dray said. But many projects fail to keep this in mind, and the result is that they’re building on very unstable ground.
“The Web2 components, like cloud environment, mobile applications, web applications, browser extensions and operational security, are critical to secure,” Dray said, explaining that most Web3 dApps are hosted in traditional cloud environments such as AWS. “But many times they’re not assessed. It’s alarming, but often Web3 projects just get a smart contract audit and think that’s it, and they totally forget about securing the Web2 parts”.
Such complacency is understandable. Reports of hackers exploiting vulnerabilities and buggy code in decentralized applications are widespread, and these attacks can have devastating consequences, resulting in billions of dollars in losses annually. This means that securing and auditing their code and smart contracts is a top priority for Web3 teams, but that doesn’t mean they can be forgiven for forgetting about the Web2 components they can rely on. However, the reality is that most Web3 projects are being built by startups, staffed by small developer teams with very few, if any, security professionals on their books. They simply don’t have the time or resources to do it all.
Automating Cybersecurity
It’s for this reason that Resonance is pushing to revolutionize security for teams at the intersection of Web2 and Web3 with an entirely new approach to safeguarding against cyber threats.
“The radical change we’re introducing is that we’re making full-spectrum cybersecurity easy due to the new ‘engine’ we have developed, which considers the customer’s technical level, budget, scope and timeframe,” Dray explained. “It builds a custom plan for each customer, whether that is a free or hardcore, full-spectrum solution.
Dray pointed out that the primary issue for many projects in both Web2 and Web3 is that they lack the guidance to determine what they need to secure, due to the enormous number of threats they face and the overwhelming array of cybersecurity products and services on the market. They also lack the time to figure these things out. “They usually just give up and focus on marketing and growth,” Dray revealed. “What we’re doing is we’re making it possible to continue focusing on growth while allowing teams to protect against every kind of cyberthreat.”
It all begins with Resonance’s automated security scoring algorithm, which works by looking at all of the actions teams have already taken on the cybersecurity front and assessing their current level of security. It provides an overall security score and notifies teams of what they need to do next, Dray explained, before guiding them through the process. According to Dray, Resonance acts very much like a security concierge: “It lets teams know what they should do now as a priority, and what they should do afterwards as the threats they face evolve.”
Resonance doesn’t provide all of the defensive tools by itself. Its small team of 13 employees focuses most of its energies on what Dray calls “offensive security”, such as penetration tests and code audits, in order to take care of the Web3 threats, while relying on partners to plug the more traditional holes in cybersecurity. To that end, it has partnered with more than 30 vetted cybersecurity product vendors to offer a library of in-house and third-party applications that can help teams to cover all of their bases for both Web2 threats and emerging Web3 vulnerabilities.
“This gives our users an advantage against hackers,” Dray said. “It’s like an automated sherpa that guides projects through this tough space to navigate, keeping everything all in one place. This makes us the first-of-its-kind full spectrum cybersecurity Software-as-a-Service solution for any technical level, budget, scope and timeframe.”
Dray revealed the company’s algorithmic-based approach to assessing security has enabled it to uncover some glaring vulnerabilities in projects that had already invested heavily into boosting cybersecurity. It has discovered some truly alarming bugs that would have taken down their customers’ entire business, had they been found by malicious actors first.
According to Dray, these findings only emphasize the need for businesses to rethink how they approach security. “We’ve had over 3,000 conversations with customers, and what we see is that most will often just try to tick off the basic boxes at the lowest cost, in the quickest time, and with the least effort,” he explained.
One part of the problem is that security isn’t taken seriously enough. Many projects, Dray said, generally try to tackle one or two problems they consider to be priorities, due to requests from their investors or the cryptocurrency exchanges they work with. This is because many exchanges and also some governments have pushed for Web3 projects to standardize their security protocols for different scenarios, causing them to focus on complying with these demands.
Continuous Security-as-a-Service
This is why Resonance actively and continuously works to assess its customers’ security status – simply because they don’t have time to do it all themselves. “We’ve done the legwork for projects and our solution can help them navigate their priorities, guiding them, making it easy and even compensating them for taking things beyond a check box,” Dray said.
Resonance makes a compelling case for its alternative approach to security and it may well convince a lot of customers that it’s the all-in-one solution they’ve been looking for, but no doubt it will find it much more challenging to truly revolutionize cybersecurity in the way it wants to. The cybersecurity industry is often referred to as a game of “cat-and-mouse”, where hackers continuously innovate and come up with new techniques to try and access the systems and servers they shouldn’t, and where security firms are forced to respond to those new threats in the fastest time possible.
The ultimate goal of the cybersecurity industry is to put an end to this game once and for all, so companies can forget about their security concerns and focus on what matters most of all – growing their business.
“Our goal is to nip this in the bud by continuously building new applications in the software and by partnering with more cybersecurity product and service providers, so we can help our customers stay ahead of new threats as they begin to emerge,” Dray stressed, adding that customers will have to do very little themselves. “They can simply rely on our automated scoring and notification system. We will never be able to say security is 100%, but this approach will certainly help our customers to stay safe in a space where they simply don’t have the time to do all of the research by themselves.”