The Rekt Test
The Rekt Test1, an easily understandable questionnaire2 that helps web3 developers assess their security maturity:
- Do you have all actors, roles, and privileges documented?
- Do you keep documentation of all the external services, contracts, and oracles you rely on?
- Do you have a written and tested incident response plan?
- Do you document the best ways to attack your system?
- Do you perform identity verification and background checks on all employees?
- Do you have a team member with security defined in their role?
- Do you require hardware security keys for production systems?
- Does your key management system require multiple humans and physical steps?
- Do you define key invariants for your system and test them on every commit?
- Do you use the best automated tools to discover security issues in your code?
- Do you undergo external audits and maintain a vulnerability disclosure or bug bounty program?
- Have you considered and mitigated avenues for abusing users of your system?
I am not sure what is the original publication (if there is one), but I came across these two articles that provide more background on the questionnaire and its contents:
It is interesting to see the web3 security space steadily maturing, i.e. integrating more and more security best practices from the traditional "web2" world.
[1] Urban Dictionary: Rekt, see also https://rekt.news/ 😅
[2] The questionnaire was created by a group of web3 security experts including Mitchell Amador (Immunefi), Dan Guido (Trail of Bits), Nick Shalek (Ribbit Capital), Nathan McCauley (Anchorage Digital), Lee Mount (Euler Labs), Shahar Madar (Fireblocks) and others.