9 - Security II

Tutorial objectives

Tutorial pre-requisites

pip3 install eth-wake
curl -L https://foundry.paradigm.xyz | bash # insecure install, you know
source ~/.bashrc && foundryup

Static analysis

Static analysis is a method of debugging by examining source code before a program is run. It’s done by analyzing a set of code against a set of coding rules (detectors). This technique can help find errors and bugs that might not be picked up by compilers and interpreters.

Static analysis tools, often referred to as SAST (Static Application Security Testing) tools, can be used to analyze code for potential security vulnerabilities, code quality issues, and adherence to coding standards.

For static analysis in this tutorial, we will use the Wake testing framework (see documentation: https://ackeeblockchain.com/wake/docs/latest/static-analysis/using-detectors/).

Other static analysis tools include:

Fuzzing

Fuzzing is a technique for testing software that involves providing invalid, unexpected, or random data as inputs to a computer program.

Fuzz tests are beneficial for example for black box testing, when manual testing or review will be more time-consuming, or to catch bugs that are unlikely to be spotted by human eye.

For fuzzing in this tutorial, we will use the Wake testing framework (see documentation: https://ackeeblockchain.com/wake/docs/latest/testing-framework/fuzzing/).

Other fuzzing tools include:

Formal verification

Formal verification is a technique used in software testing to prove or disprove the correctness of intended algorithms underlying a system with respect to a certain formal specification or property.

This method is out of scope of our tutorial.

Tools/companies that provide formal verification include: