- API Penetration Testing

How to perform a cybersecurity sanity check for your crypto startup

A crypto start-up became a lucrative target for cybercriminals that forces a need for thoroughly managed cybersecurity of a start-up.

Good cybersecurity management starts with an assessment of your current cybersecurity level. There are key technological layers of a crypto start-up coupled with tools, and standards on how to assess the layers from a cybersecurity perspective. I will try to use as much open source as possible when recommend a tool.

  1. Web - Use burp or OWASP ZAP and Acunetix + OWASP Web TOP-10
  2. Back-end \ API - Use Burp or OWASP ZAP + OWASP API TOP-10
  3. Mobile - Use MobSF or Radare + OWASP Mobile
  4. Cloud back-end - Use Scout Suite + relevant CIS Standard, like CIS for Azure or CIS for AWS
  5. Smart contract - Use Mythril + SmartContract Verification Standard
  6. Kubernetes\OpenShift cluster - Use kube-bench and kube-hunter + CIS for Kubernetes
  7. On-premise network - Use nmap and Nessus + relevant CIS standards for Windows, Unix etc
--- Geek section ---
If you want to dive in further you can sharpen your Web, Back-End and On-premise network security skills by performing exercises in HackTheBox.

For mobile security, there are multiple other tools, for instance for Android MobSF, Apktool, XPosed, Pidcat, drozer, jadx, qark, Android backup extractor, Inspeckage, House. If you need a detailed description of the tooling above check an article of a colleague of mine

There are multiple courses on Coursera also on cloud security and cloud architecture for all major cloud service providers - AWS, Google Cloud, Microsoft, and Alibaba.

For Kubernetes, I suggest deploying several clusters, for instance using O'Reily Katacoda free labs.
--- End of geek section ---

In principle if you need to understand what is a solid security baseline for a technology layer you can always pivot to CIS or OWASP and almost always find a comprehensive security controls catalogue.

I can't promise your crypto cybersecurity journey will be a pleasant one but indeed you would learn a lot of new and fascinating things:) Team