| title |
|---|
What tools do we use in Security Reviews? |
Follow along with this video:
Let's overview some of the tools we'll be using while performing security reviews. As we progress in the course, you'll get more hands on experience with how they work!
Your classic test suite is your project's first line of defense. These are your frameworks like Foundry, Hardhat, Brownie, Apeworx - even Remix has tests.
Rest in Peace Truffle 😢
This course covers some really robust test suites that you can model your tests after and we'll talk more about the concept of test coverage a little later on.
Static analysis represents the next level of defense. This method automatically checks for issues without executing your code, hence the debugging process remains static. Slither, 4nalyzer, Mythril, and Aderyn are some prominent tools in the static analysis category.
Throughout this course, we'll work heavily with Slither and Aderyn, you'll become experts at these static analysis options.
Next we have Fuzz testing, which really comes in two flavours, fuzz testing and stateful fuzz testing.
A few other types of testing we won't be covering are differential test and chaos tests, but in an effort to further you security journey, you always want to be looking for new looks and expanding your knowledge, so you may want to check them out.
Formal verification is a broad term for deploying formal methods to affirm the correctness of hardware or software. Often, these methods involve converting the codebase into mathematical expressions and deploying mathematical proofs to authenticate that the code does or doesn't do something specific.
A popular formal verification approach is symbolic execution. This method converts your Solidity function into math or a set of boolean expressions. Manticore, Certora, Z3 stand tall in this domain.
We will delve deeper into formal verification in later sections.
Lastly but importantly, AI tools offer another dimension to imagine code auditing functionalities. However, despite their potential, they have some distance to cover before they provide substantial value for securing a codebase. At present, using AI tools could serve as a sanity check or aid in looking for something quickly, but if a project suggests it has been audited by an AI tool like ChatGPT, it is best to be skeptical and question if the project takes security seriously.
There's a great GitHub repo by ZhangZhuoSJTU that illustrates examples of bugs that are detectable by machines and those that aren't. Check it out here.
An important takeaway for you is that around 80% of actual bugs and competitive audit bugs are not auto-detectable by machines, including our present-day AI tools. This revelation underlines two key facts:
- Our current tools aren't up to the mark, and we need better ones.
- Human auditors and human security researchers remain paramount. The vast majority of bugs often stem from business logic and incorrect implementations rather than common solidity or cryptography oddities.
You'll learn more about this distinction as we continue in this course.