Web3 Defence In Depth: Origami Finance Case Study

Web3 Defence In Depth: Origami Finance Case Study

Securing APIs and AWS Cloud Infrastructure

Rivanorth's photo
Rivanorth
·

3 min read

Working with Rivanorth was incredibly valuable. Their review identified key 'defence in depth' improvements for our system, which we promptly addressed. I highly recommend Rivanorth for their expert security assessments. - TempleDAO

Background

Smart contract security has tremendously improved over the years but attackers are always looking for new and easier ways to make a profit. In the blockchain industry, security aspects other than smart contract audits have been historically neglected but as modern blockchain projects not only have smart contracts but also, web applications (dApps), APIs and cloud infrastructure, its becoming increasingly important to secure those too. That’s why Origami engaged Rivanorth to perform a security assessment of its APIs and AWS cloud infrastructure.

The Defence In Depth Principles

Before we go further, we need to understand what defence in depth stands for. Defence in depth is a security framework that employs multiple layers of protection to safeguard information and systems. The idea is that if one layer of defence fails, additional layers still provide protection, thus reducing the risk of a breach. Here are the key components and concepts behind defence in depth:

  1. Layered Security: implementing security measures at different levels.

  2. Redundancy: by having multiple overlapping security controls, this approach ensures that a failure in one control does not lead to a total compromise.

  3. Defence against different threats: each layer can address different types of threats.

  4. Risk mitigation: defence in depth helps teams manage risk by reducing the likelihood of an attack being successful and minimising the impact of any breaches that do occur.

Rivanorth’s Methodology

The objective of this engagement was to conduct a comprehensive security assessment following the defence In depth principles and identify improvement opportunities for Origami’s AWS infrastructure and APIs.

Following an initial consultation with the team we identified the following key areas for the assessment:

AWS

  • ECS: Amazon Elastic Container Service

  • EC2: Amazon Elastic Compute Cloud

  • S3: Amazon Simple Storage Service

  • RDS: Amazon Relational Database Service

  • VPC: Virtual Private Clouds

  • IAM: Identity and Access Management)

  • System Manager Parameter Store

And, two API collections.

The assessment was performed following well established cybersecurity frameworks including AWS Well-Architected, CIS Benchmark, NIST Cybersecurity and ISO 27001. The APIs were assessed using advanced penetration testing techniques with a keen focus on the context of the API’s use case as well as testing for well know API vulnerabilities as described under OWASP Top Ten API Security.

Outcomes That Matter

Hacks can have catastrophic consequences for DeFi projects and having tight security has become an essential requirement for Web3 projects. Thanks to Origami’s dedication to security, key technical aspects have been review for vulnerabilities, significantly reducing the risk for users and stakeholders alike.

Find out more about Origami: https://origami.finance/

Rivanorth is a cybersecurity company specialising in smart contract audits and 360 degree security services for Web3.

Visit rivanorth.com to find out more.

You build the future. We help you secure it.