Blockchain is frequently claimed to be an “unhackable” technology. But 51% attacks allow threat actors to “gain control over more than half of a blockchain’s compute power and corrupt the integrity of the shared ledger. … While this particular attack is expensive and difficult, the fact that it was effective means that security professionals should treat blockchain as a useful technology—not a magical answer to all problems.”
The 51% attack takes advantage of what is known as the 51% problem: “If a single party possesses 51% of a mining pool, it is possible to falsify an entry into the blockchain, allowing for double spending, and even to fork a new chain to the advantage of the mining pool.”
The two main types of blockchain, public and private, offer different levels of security. Public blockchains “use computers connected to the public internet to validate transactions and bundle them into blocks to add to the ledger. … Private blockchains, on the other hand, typically only permit known organizations to join.” Because any organization can join public blockchains, they might not be right for enterprises concerned about the confidentiality of the information moving through the network.
Another difference between public and private blockchains regards participant identity. Public blockchains “are typically designed around the principle of anonymity. … A private blockchain consists of a permissioned network in which consensus can be achieved through a process called ‘selective endorsement,’ where known users verify the transactions. The advantage of this for businesses is that only participants with the appropriate access and permissions can maintain the transaction ledger. There are still a few issues with this method, including threats from insiders, but many of them can be solved with a highly secure infrastructure.”
Blockchain technologies are growing at an unprecedented rate and powering new concepts for everything from shared storage to social networks. From a security perspective, we are breaking new ground. As developers create blockchain applications, they should give precedent to securing their blockchain applications and services. Activities such as performing risk assessments, creating threat models, and doing code analysis, such as static code analysis, interactive application security testing, and software composition analysis, should all be on a developer’s blockchain application roadmap. Building security in from the start is critical to ensuring a successful and secure blockchain application.