The promise of blockchain is boundless, but the technology is often met with skepticism due to unknown security, practicality, and adoptability implications.  As reflected in Gartner’s 2018 Gartner CIO Survey, that highlighted the fact, only 1% of CIOs surveyed indicated any kind of blockchain adoption and only 8% are in short-term planning and pilot execution

We asked two Security Innovation company experts, Craig Rutfield (20+ year Software Engineering veteran), and Mick Ayzenberg (Security Engineer & Blockchain Researcher) to offer their perspectives.  Our interview follows:

Blockchain 101

Blockchain is a mechanism for recording information that is unalterable and does not depend on trusting a third-party. Much like automation allows companies to run more efficiently, blockchain has the potential to automate business activities that would normally require a trusted third-party. With private blockchains specifically, organizations can distribute their trust between a network of involved parties and develop shared standards while avoiding the inefficiencies of using public chains.

Q: Is blockchain a game changing technology or a solution in search of a problem?

A: Craig - I'd call it a secure distributed token tracking technology. It is a game changer. There has never been a publicly accessible independent distributed mechanism that claims to guarantee an accurate, unique record.

A: Mick – One of the core benefits of blockchain is that it provides a way to own something digital. Despite the majority of businesses operating digitally, it was previously not possible to truly own something on the Internet without putting trust in a third party. It’s easy to dismiss the technology as being "in search of a problem", but I think there is potential; some industries (or consumers) are spending a significant amount of money on trusted third-parties protecting something digital for them, blockchain will be able to reduce this cost. It's early enough that the potential cost savings and tradeoffs are still being discovered and we aren't yet certain where the tech can provide the most value. 

A particularly interesting area is the use of private blockchains, which places a limited amount of trust onto several known parties.  These blockchains do not require a currency and instead are secured by a limited number of authoritative nodes. This is a different model of trust than public blockchains. Private chain nodes are “people you know, but don’t necessarily trust”, whereas public chain validators can be anonymous actors with an economic incentive to play by the rules.

With a private blockchain, evidence of one party tampering with the data is easy to obtain and can be used to settle the issue with a standard off-chain resolution, such as with a legal agreement between organizations. While there are tradeoffs to consider, private blockchains do significantly reduce the inefficiencies of a public blockchain to the point where the technology may be comparable to a traditional distributed database. 

I think the use cases for this tech are quite different, but still interesting.  For example, Walmart has been experimenting with using IBM's private blockchain to better track their supply chain. Without blockchain, the involved distributors and companies might have decided to use a third party to host the software and database so there would be less risk of one organization assuming all the costs, or worse, a supplier tampering with data.  Now, with very little efficiency tradeoff, they can each validate a private chain that is owned by all involved parties and will make any malicious operations crystal clear.

Q:  What solutions exist today that have already solved all or part of this problem?

A:  Craig - Several companies have databases behind clearinghouses to handle these records whether internally or as a service. These are often brokers who sit between the buyer and seller. In short, there would be an owner or gatekeeper protecting the transaction logs. With a blockchain, there is no need for one. 

A: Mick -  Blockchain is a state machine that does not require a trusted party to operate.  If you get rid of the trust component, the entirety of its functionality can be replicated with a back-end server and database.  The benefit comes from identifying where trust is needed, calculating how much is being spent on that trust, and determining whether blockchain could be cheaper.  In the same way that automation continues to revolutionize industries across all sectors while reducing costs for businesses and consumers, blockchain can be seen as a way to automate the "trust" needed in our current systems. 

For example, any home buyer knows that in order to complete a sale or purchase you must pay thousands of dollars to an Escrow and Title company.  We as consumers accept this cost because it is an unavoidable expense for the distrust between the two parties.  This is a prime example of a trusted third party that can simply be codified to the blockchain. Titles can exist as digital assets on the blockchain and escrow can be coded up in under 100 lines of solidity code. Migration to this platform comes with many trade-offs that are worth considering, but as more industries find they can be more efficient with blockchain, I expect more companies to adopt the technology for better interoperability.

Q: In terms of a primary benefit, is it functionality, security or the combination?

A:  Craig - Functionality without ownership (hence the term independent above) with security (confidentiality, integrity, availability). The functionality is to have a distributed history.

A:  Mick - Functionally a public blockchain can be a lot less efficient.  Security can be better in certain areas but worse in others.  The primary benefit comes in replacing trust in a person or organization with trust in an open protocol and an economic game theory model. The benefits range from lowering costs associated with trust, to allowing more transparency, and putting more control in the hands of the consumer.

Q: What privacy implications exist with blockchain implementations – which are most dangerous/important?

A: Craig - Importance varies with the use case, however, the invalidation, if there is an inconsistency after a transaction is confirmed, is significant. Some of these require application logic to manage it. The identity of those performing the transaction is unknown, so privacy is retained. 

A: Mick - Current blockchain technology is in the beginning stages of privacy, though most agree that it is a priority to evaluate in the next several years.  Depending on the implementation, a lot of information is public by default and that can have some serious privacy issues. There is a lot of research being conducted to make ZK-SNARKS and ZK-STARKS more efficient so that true privacy can be achieved and scaled. 

The right to be forgotten will be interesting, since most blockchain implementations require that no entity has the ability to remove information from the chain.  This may move the responsibility more towards the users, but we will see how that unfolds.

Overall current blockchain technology is evolving, and if consumers begin to value their privacy more than the developers do, there will be forks towards those improvements.  It’s a lot easier to fork a social network built on a blockchain than it is to fork an entire private company.

Q: Contracts, Ledgers, and Backups — oh my!  Pros and cons

A: Craig - Replication is key so there is not a single source of the truth, while ensuring there is one truth. Distributed trust is the advantage here. Single authorities exist today with brokers or financial institutions themselves. They have ultimate control over data integrity, trust, repudiation, etc. With blockchain each record owner has control over that record’s fidelity. An authority may manage the chain, but trust is distributed to each record owner. A potential drawback of using blockchain comes when considering hold periods and race conditions. There’s a definite delay from the beginning of a transaction to completion due to the need to validate, replicate, and complete. These “air gaps” are potential tamper spots and can lead to inaccuracies, malicious or accidental.

A: Mick – Blockchains are designed around resilience.  Data is replicated by design such that many nodes have a need to store each block permanently. Scaling this system presents a huge obstacle for public blockchains to overcome. Pruning techniques and sharding strategies will have to balance the need for sufficient duplication with the growth in demand.

Q: The Power of Power - Can blockchain reduce costs for industries that require a trusted 3rd party?

A: Craig- Not for the industry per se, but it cuts out the middleman. Entities can buy/sell or transact without an intermediary. The intensity of blockchain transaction computation can consume petaflops of CPU cycles and enormous amounts of power/energy. We’ve seen how the bitcoin network (computers that maintain the shared transaction ledger that is the blockchain) consumes ridiculous amounts of energy ( This problem needs to get solved before mass-scale blockchain-based networks are practical. Private chains do not require nearly the complexity of the calculations. These can be faster and require fewer calculations. This is the more common approach being piloted today.

Mick: I predict it will reduce costs because paying for trust requires such a high premium right now, but we will see. For example, a commercial building wants to buy less expensive electricity when it is hot and the A/C is running. Due to the heat/sun, a solar panel at a nearby location is generating more electricity than another building needs. The owner of the solar can sell the electricity to the commercial building without paying a large fee to an intermediate party. There are energy companies already experimenting with this using Blockchain.

It is clear that Proof of Work is taking a massive toll on the environment and hopefully new research yields solutions to relieve this burden.  As Craig mentions, private blockchains do not require nearly as much energy to protect, however they are only applicable when a limited amount of trust is allowable. This may not be allowable in decentralized systems where every consumer might need to be trusted.

If and how blockchain will change the world, only time will tell. Companies that want to explore this technology should attempt to quantify the amount they spend on trust relationships and look into whether a blockchain-based system could reduce those costs. It's important that the risks of such a new technology be included in this equation. Though, as time goes on and more companies pilot the technology, the trade-offs and considerations will become clearer.

Q: Does forgery become obsolete with blockchain?

A: Craig - No. If one authenticates as a valid consumer, they can transact. Even if there is an audit trail, they could have completed the act. There are still threats, but it is more difficult to execute them successfully.

A: Mick - Forgery certainly can become more difficult, but it will never be impossible.  A user's signature is only as strong as how well one protects their keys. Active research on usable hardware wallets that better protect users is promising. 

Security Innovation is presenting at the following Upcoming Blockchain Events:

Oct. 5-7 - TruffleCon blockchain developers conference in Portland, OR

Oct. 8-10 - AppSec2018 - Security Through Enablement - San Jose, CA

AppSec three-day training session - "Intro to Hacking Decentralized Applications and Smart Contracts" presented by our Senior Security Engineer, Mick Ayzenberg.
Register here: 

ec. 3-4 - Black Hat Europe, London - "Intro to Hacking Smart Contracts"


Can You Hack It? 

Try out our Blockchain CTF. Click here:



Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.

Posts by Topic

View Full Topic List