SoftServe的SingularityDAO dApp安全评估和缓解策略

Overview SingularityDAO (SDAO), a decentralizedfinance (DeFI) protocol, is an initiativeof the SingularityNET Foundationto simplify access to the cryptocurrencyeconomy and is completely deployedboth on-chain and within the AWS cloud.The protocol is designed to offer activelymanaged and non-custodial on-chaintrading strategies of cryptocurrencies,supported by superior risk managementand analytics tools. SoftServe’s goal was to stress test theexisting AWS cloud architecture, adoptnew security measures where needed,and provide recommendations for bestpractices in cloud security in relateddevelopment processes. The main objectivewas to identify areas of potential risks andweaknesses, and to provide the foundationwith high-level recommendations forimproving its security posture. By conducting this security awareness,SingularityDAO would be able to focus itsattention and resources on the protocol’srollout and future deliverables. The client’s business plan called for theirSingularityDAO protocol to grow theirbusiness by adding additional sources ofdata to analyze their digital assets. The goalwas to find an optimal architectural designthat will aid SingularityDAO’s exponentialgrowth in a secure environment. Challenges SDAO desired to grow its business with new analytics streams that would increase theavailable technical instruments and indicatorsfor on-chain and off-chain data (fromCEX and DEX). SDAO also needed new capabilities that would provide platform userswith a safe and easy way to manage their investment portfolios. SoftServe’s main challenge was to build a cloud-agnostic approach for a data analyticsplatform, and to illustrate the key architectural decisions that were being made to theSingularityDAO team. The new analytics platform would also have to support new productservices, which were key to SingluarityDAO-DynaSet plans. And to address concerns voiced by members of the SingularityDAO team, SoftServe wouldneed to host a series of architectural sessions to gain client team buy-in and explaintechnical decisions regarding technologies or approaches being used. SoftServe teammembers would also provide comprehensive analysis and commentary regarding alltechnical questions. Solution The solution for SDAO’s needs consisted of a robust, secure, and scalable analyticsback-end engine. One that could process high volumes of trading and social dataforinvestors to leverage hidden insights for their portfolios and management, based onAI-driven decision recommendations. This platform would be able to process historical and real-time data that could meetSDAO’s high performance, availability, and scalability requirements. Project planning and assessment SoftServe’s team of security experts conducted a kick-off meeting with SingularityDAOrepresentatives to understand the context of the resources used by the client. Then, aseries of tests were performed against the AWS configuration, based on these standards: •CIS Amazon Web Services Foundation Benchmark v1.40•AWS Well-Architected Framework: Security Pillar•Cloud Security Alliance Cloud Controls Matrix (CSA CCM) AWS Services used in the assessment •AWS API Gateway•AWS Certificate Manager•AWS CloudFormation•AWS CloudFront•AWS CloudWatch•AWS CloudTrail•AWS Config•AWS DynamoDB•AWS EC2•AWS ECR•AWS EKS•AWS ELB•AWS GuardDuty•AWS IAM•AWS Inspector•AWS KMS•AWS Lambda•AWS Macie•AWS RDS•AWS S3•AWS Security Hub•AWS VPC Third-party applications or solutions used in the assessment Open-source tools such as ScoutSuite, Prowler, and Cloudsplaining. When the assessment was completed six weeks later, SoftServe delivered a pilotimplementation plan for the analytics platform, including training and learning sessions forthe SingularityDAO team on how they could further enhance and scale the new platform. Results SoftServe conducted an exhaustive security assessment of the existing architecturaldesign and delivered a detailed report on security improvements to avoid any securityvulnerabilities without restricting the development of the protocol’s roadmap. A security roadmap with recommendations on an architectural level to improveSingularityDAO’s security posture was also presented, based on the client’s businessgoals. Using this step-by-step plan, the client will be able to reach their short- and long-term goals. Said Marcello Mari, SingularityDAO’s CEO, "SoftServe always delivers the best-in-classvalue for enterprise software development. The technical collaboration is always of thehighest quality." Conclusion Following this successful cloud security assessment, SDAO was able to: Improve platformtrust by auditingthe hostingenvironment andapplying the bestsecurity and cloudpractices. Modernize SDAO’sexisting analyticalsolution to supportnew services anddata insights. Reduce portfoliomanagementrisks by enablingadditional technicalindicatorsthat allowthe use of artificialintelligence, whichpermits traders torebalance portfoliosmore precisely. Increase theirgrowt