# Security Frameworks by SEAL > Comprehensive security framework documentation for Web3 projects and blockchain security best practices. ## Docs - [Account Abstraction Wallets](/wallet-security/account-abstraction): Advanced users, developers, and organizations interested in programmable security, customizable transaction rules, and moving beyond the limitations of standard Externally Owned Accounts (EOAs) to eliminate single points of failure like seed phrase loss. - [Cold vs. Hot Wallets](/wallet-security/cold-vs-hot-wallet): The primary distinction between wallet types is their connectivity to the internet. This factor dictates their security threat model, risk profile, and ideal use cases. - [Custodial vs. Non-Custodial Wallets](/wallet-security/custodial-vs-non-custodial): The distinction between custodial and non-custodial wallets centers on who controls the private keys. This control directly impacts ownership, security responsibility, and the ability to interact with the web3 ecosystem. - [TEE-based Encumbered Wallets](/wallet-security/encumbered-wallets): Advanced users, developers, and organizations wanting to implement fine-grained security policies, that don't want to (EVM, Solana, Sui) or can't (Bitcoin, Litecoin, Dogecoin, XRP) make fully customizable logic on each chain individually. Additionally, encumbered wallets can use encrypted storage thus providing a level of transaction privacy. - [For Beginners & Small Balances](/wallet-security/for-beginners-&-small-balances): A user with foundational web3 knowledge who is actively learning and interacting with dApps. The asset value is typically non-critical, where a potential loss would not be financially significant. This profile prioritizes **ease of use** and **learning** over protections against online threats. - [Hardware Wallets](/wallet-security/hardware-wallets) - [Wallet Security](/wallet-security): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [For Intermediates & Medium Balances](/wallet-security/intermediates-&-medium-funds): An intermediate user who is comfortable with web3 interactions and is now managing a significant, but not life-altering, amount of assets. This user understands the inherent risks of hot wallets and is actively seeking to upgrade their security posture to protect their capital. - [Wallet Security](/wallet-security/overview): In cryptocurrency, the security of digital assets is directly tied to how control over the funds is protected. This section provides a technical deep-dive into wallet security, covering the range from fundamental concepts to advanced practices for safeguarding assets against theft, loss, and unauthorized access. - [Secure Multisig Best Practices](/wallet-security/secure-multisig-best-practices): Guidance for designing, operating, and auditing high-assurance multisigs. Use this as your single source for baseline rules, setup guidance, and daily operations. - [Safe Multisig: Step-by-Step Verification](/wallet-security/secure-multisig-safe-verification): Hash verification protects against UI compromise attacks where malicious transactions are injected into the signing flow. The goal is to ensure that what you see in the UI matches what your hardware wallet actually signs. - [Verifying Multisig Transactions](/wallet-security/secure-multisig-signing-process): The security of a multisig wallet relies on each signer independently verifying what they are signing. A compromised web interface could present a legitimate-looking transaction while tricking a hardware wallet into signing a malicious one. - [Squads Multisig: Step-by-Step Verification](/wallet-security/secure-multisig-squads-verification): Limited tooling is available for Solana verification compared to EVM. Exercise extra caution and cross-verify with team members. - [Seed Phrase Management](/wallet-security/seed-phrase-management): The **seed phrase** (or mnemonic phrase) is the master key to a non-custodial wallet, granting complete control over all its derived **private keys** and assets. The management of this phrase is the single most important aspect of self-custody security. - [Signing Schemes](/wallet-security/signing-schemes) - [Signing & Verification](/wallet-security/signing-verification): This section provides a guide to transaction verification, from basic EOA interactions to advanced multisig operations. - [Software Wallets](/wallet-security/software-wallets) - [Tools & Resources](/wallet-security/tools-&-resources): This section provides a curated list of tools and resources to help users select wallets, practice safe signing habits, and verify transactions. Using these tools is a critical part of a robust security strategy. - [Using EIP-7702](/wallet-security/verifying-7702): The Pectra network upgrade introduces **EIP-7702**, which allows a standard Externally Owned Account (EOA) to temporarily function like a smart contract wallet. This is achieved via a new transaction type (`0x04`) that lets an EOA delegate its authority to a smart contract's code for the duration of a transaction or until it's changed. - [Verifying Standard Transactions (EOA)](/wallet-security/verifying-standard-transactions): When interacting with a dApp using a standard Externally Owned Account (EOA) via a wallet, you must verify several key components of the transaction request before signing. - [Bug Bounties](/vulnerability-disclosure/bug-bounties): Bug bounty programs incentivize security researchers to identify and report vulnerabilities in your project. They augments a security team and audits by allowing external security researchers to disclose vulnerabilities in your project in a way that should be a good experience for the security researcher. Depending what the scope of the bug bounty program is, you may have a higher success rate having certain parts at different types of bug bounty as a service providers, as they generally have security researchers with different skill sets using their platforms. - [Vulnerability Disclosure](/vulnerability-disclosure): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Vulnerability Disclosure](/vulnerability-disclosure/overview): Vulnerability disclosure is the task that is done after a vulnerability has been identified and fixed, and means to make the vulnerability known to the larger public. Often, a vulnerability disclosure will come after a [bug bounty](/vulnerability-disclosure/bug-bounties) report has been filed and the vulnerability has been corrected, or from a team member that noticed a vulnerability which was then fixed. In the event that responsible disclosure of the vulnerability is not possible because the vulnerable code is actively or will imminently be exploited, [Safe Harbor](/safe-harbor/overview) may be applicable. - [Security Contact](/vulnerability-disclosure/security-contact): Having a security contact provides a designated point of contact for security researchers to report vulnerabilities to. - [User Team Security](/user-team-security): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [User and Team Security](/user-team-security/overview) - [Phishing and Social Engineering](/user-team-security/phishing-social-engineering) - [Security-Aware Culture](/user-team-security/security-aware-culture) - [Security Training](/user-team-security/security-training) - [Custodial Treasury Security: Classification Framework](/treasury-operations/classification): Proper documentation and classification of custodial accounts is essential for institutional treasury security. This guide focuses on the security assessment and classification framework for crypto assets held with third-party custodians. - [Enhanced Controls for High-Risk Accounts](/treasury-operations/enhanced-controls): For Critical and High impact custodial accounts, implement the following controls in addition to baseline measures. - [Treasury Operations](/treasury-operations): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Treasury Operations Security](/treasury-operations/overview): 💡 Institutional-grade security frameworks for managing custodial treasury accounts and large cryptocurrency transfers - [Registration Documents](/treasury-operations/registration-documents): Use these standardized templates to register custodial accounts, track access changes, document security configurations, and perform quarterly reviews. - [Guide: Large Cryptocurrency Transfers](/treasury-operations/transaction-verification): Large cryptocurrency transfers require rigorous verification because transactions are irreversible. This guide covers both receiving and sending significant amounts, with security measures scaling to transfer size. - [TODO: Add link to Multisigs for Protocols guide. AFTER IT IS MERGED](/treasury-operations/transaction-verification): **Always generate a fresh deposit address** for large incoming transfers - [Create and Maintain Threat Models](/threat-modeling/create-maintain-threat-models): Creating and maintaining threat models help identify potential security risks and develop mitigation strategies to protect the project. - [Standard Operating Environment](/threat-modeling/identity-mitigate-threats): Identifying and mitigating threats is a crucial part of the threat modeling process. By understanding potential threats and developing strategies to address them, projects can help protect their systems and data from security incidents. - [Threat Modeling](/threat-modeling): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Threat Modeling](/threat-modeling/overview): Threat modeling is a structured approach to identifying and mitigating security threats to a system. It involves understanding potential threats, vulnerabilities, and attack vectors, and developing strategies to mitigate them. - [Dependency Awareness](/supply-chain/dependency-awareness): Dependency awareness is the practice of understanding and managing all the external libraries, frameworks, and components that a software project relies on. Dependencies can introduce vulnerabilities and risks, which means it's important to keep track of them and ensure they are secure. - [Supply Chain](/supply-chain): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Supply Chain Security](/supply-chain/overview): Supply chain security involves managing and securing all the components, dependencies, and processes involved in the development, deployment, and maintenance of software. In the context of blockchain and web3 projects, supply chain security could for example be parts of the web application stack, or external libraries used by the smart contract. - [Supply Chain Levels for Software Artifacts](/supply-chain/supply-chain-levels-software-artifacts): Supply chain levels for software artifacts provide a framework for categorizing and securing software components based on their risk levels. This approach helps projects prioritize their security efforts towards software components with the highest risk levels. - [Formal Verification](/security-testing/formal-verification): Formal verification is the act of proving or disproving a given property of a system using a mathematical model. While fuzz testing tries to break properties by throwing random data at your system, formal verification tries to break properties using mathematical proofs. - [Fuzz Testing](/security-testing/fuzz-testing): Fuzz testing (or fuzzing) is when you supply random data to your system in an attempt to break it. Most of the time, hacks come from scenarios you didn't think about and write a test for. What if I told you that you could write one test that would check for almost every possible scenario? - [Security Testing](/security-testing): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Integration Testing](/security-testing/integration-testing): While unit tests verify individual functions work in isolation (often with mocked dependencies), integration tests verify that your smart contracts work correctly with real external systems. In Web3, this primarily means testing with **fork tests** - running your contracts against real blockchain state. With out unit tests, we `mocked` working with external systems, integration tests however will actually work with those systems, by running as: - [Security Testing](/security-testing/overview): The objective of Security testing, while most likely impossible, is to ensure that applications and systems are resilient to attacks and free from vulnerabilities. This section covers various security testing methodologies, including dynamic and static application security testing, fuzz testing, and security regression testing. - [Static Analysis](/security-testing/static-analysis): At a high level, static analysis examines the structure, syntax, and patterns of your code without executing it. There are many forms of static analysis, and compilers like solc rely on these techniques. From a security perspective, static analysis can help identify potential vulnerabilities and code quality issues. - [Unit Testing](/security-testing/unit-testing): Unit testing is the foundation of smart contract security testing. While fuzz tests can find edge cases and integration tests verify system interactions, unit tests ensure that individual functions behave correctly under expected conditions. Every smart contract should have comprehensive unit test coverage before moving to more advanced testing methodologies. - [Compliance Checks](/security-automation/compliance-checks): Automating compliance checks helps projects ensure that they adhere to security policies, standards, and potential regulatory requirements consistently. Automated compliance tools can continuously monitor, assess, and report on the compliance status of systems and applications. - [Security Automation](/security-automation): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Infrastructure as Code](/security-automation/infrastructure-as-code): Infrastructure as Code (IaC) is the managing and provisioning computing infrastructure through machine-readable definition files, rather than manual configuration or interactive configuration tools. Automating security within IaC helps ensure that infrastructure is configured securely and consistently. - [Security Automation](/security-automation/overview): Security automation involves using technology to perform security tasks with minimal human intervention. By automating repetitive and complex security processes, teams can improve efficiency, reduce the risk of human error, and respond to threats more quickly. This section covers best practices and tools for automating various aspects of security, including compliance checks, infrastructure as code, and threat detection and response. - [Threat Detection and Response](/security-automation/threat-detection-response): Threat detection and response is a critical aspect of maintaining the security of your project. It involves identifying potential threats, monitoring for signs of malicious activity, and responding effectively to mitigate any identified risks. By implementing robust threat detection and response strategies, you can protect your project from security breaches and minimize the impact of any incidents that do occur. - [Code Reviews and Peer Audits](/secure-software-development/code-reviews-peer-audits): Code reviews and peer audits help identifying and mitigating security vulnerabilities in software. They involve systematically examining code to ensure it adheres to the security standards and best practices of the project. - [Secure Software Development](/secure-software-development): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Secure Software Development](/secure-software-development/overview): Secure software development is the practice of integrating security measures throughout the entire software development lifecycle (SDLC). This approach ensures that software is designed, developed, and maintained with security in mind, protecting against vulnerabilities and threats. This section provides guidelines and best practices for secure software development, including code reviews, secure coding standards, version control, and threat modeling. - [Secure Code Repositories and Version Control](/secure-software-development/secure-code-repositories-version-control): Managing secure code repositories and having version control practices helps protect your project from unauthorized access and ensuring the integrity of your project. - [Secure Coding Standards and Guidelines](/secure-software-development/secure-coding-standards-guidelines): Using secure coding standards and guidelines increases the likelihood of you being resilient to security threats. Having these type of standards can help developers avoid common vulnerabilities, and help ensure that security is considered at every stage of development. - [Threat Modeling and Secure Design Principles](/secure-software-development/threat-modeling-secure-design-principles): Threat modeling and secure design principles help identify and mitigating potential security threats during the design phase of software development. T - [Safe Harbor](/safe-harbor): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [On-Chain Adoption Guide](/safe-harbor/on-chain-adoption-guide): This guide explains how protocols can register their Safe Harbor adoption on-chain. Registering ensures your adoption is **public, verifiable, and enforceable**. - [SEAL Whitehat Safe Harbor](/safe-harbor/overview): 💡 An industry-standard framework, letting your protocol pre-authorize whitehats to rescue funds during active exploits - [Safe Harbor Scope Terms](/safe-harbor/scope-terms): When adopting Safe Harbor, you'll define specific parameters that control what's covered and how whitehat rescues work. Below is an explanation of each term with tips and best practices. - [Self-Adoption Guide](/safe-harbor/self-adoption-guide): This guide walks you through the full process of self-adopting the SEAL Safe Harbor Agreement for your protocol. The goal is to provide whitehats with legal clarity and confidence to rescue funds when it matters most. - [Safe Harbor Eligibility Checklist](/safe-harbor/self-checklist): Use this checklist to evaluate whether adopting the **SEAL Whitehat Safe Harbor Agreement** makes sense for your protocol. - [Safe Harbor for Whitehats](/safe-harbor/whitehat): Safe Harbor lets whitehats intervene during \[active exploits] to help secure protocol funds. It does so by providing a legal framework that outlines what whitehats can and can't do, how they ought to operate, and protects abiding whitehats in the event of legal action taken by the protocol. - [Data Removal Services](/privacy/data-removal-services): Removing your personal data from online platforms can help protect your privacy and reduce the risk of identity theft. Here are some steps and services to help you remove your data from the internet. - [Digital Footprint](/privacy/digital-footprint): Your digital footprint is the trail of data you leave behind while using the internet. - [Encrypted Communication Tools](/privacy/encrypted-communication-tools): Encrypted communication tools are essential for maintaining privacy and security in digital communications. These tools ensure that your messages and calls are protected from eavesdropping and unauthorized access. - [Financial Privacy Services](/privacy/financial-privacy-services): Maintaining financial privacy is often seen by an important thing for people inside the web3 ecosystem, and it can help prevent personal and financial information from unauthorized access and fraud. - [Privacy](/privacy): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Privacy](/privacy/overview): Privacy is a fundamental aspect of security. Protecting your personal and team's information from unauthorized access and exposure is crucial. This section provides guidelines and resources for maintaining privacy, managing your digital footprint, and utilizing privacy-focused tools and services. - [Privacy-Focused Operating Systems and Tools](/privacy/privacy-focused-operating-systems-tools): Using privacy-focused operating systems and tools can significantly enhance your digital privacy. These systems and tools are designed to protect your data and minimize your digital footprint. - [Secure Browsing](/privacy/secure-browsing): Secure browsing is essential to protect your privacy and personal information while using the internet. - [VPN Services](/privacy/vpn-services): Virtual Private Networks (VPNs) can help increase online privacy. They encrypt your internet traffic and hide your IP address, increases the protection of your data from eavesdroppers and provide you additional anonymity online. - [Continuous Improvement & Metrics](/opsec/continuous-improvement-metrics): Operational security is not a static state but rather a continuous process of assessment, improvement, and adaptation. This section outlines approaches to continuously improve security practices and measure their effectiveness. - [Opsec](/opsec): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Operational Security](/opsec/overview): Operational Security (OpSec) is a systematic approach to identifying critical information, determining threats to that information, analyzing vulnerabilities, assessing risks, and implementing countermeasures to protect sensitive data and operations. This framework provides comprehensive guidance for implementing effective operational security practices in Web2 and Web3 environments. - [Personal security travel guide — full](/opsec/travel/guide): Travel introduces unique security risks to your digital assets and sensitive information. Proper preparation before, vigilance during, and careful review after travel creates a comprehensive defense strategy that balances security with practical usability. - [Travel](/opsec/travel): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Operational Security while traveling](/opsec/travel/overview): 🔑 **Key Takeaway**: Travel introduces unique security risks to your digital assets and sensitive information. Proper preparation before, vigilance during, and careful review after travel creates a comprehensive defense strategy that balances security with practical usability. - [Personal security travel guide — concise version](/opsec/travel/tldr): 🔑 Key Takeaway: Protect your digital assets while traveling through minimizing sensitive data, using encrypted devices, avoiding public networks, securing hardware wallets, maintaining physical control of devices, being cautious with USB connections, practicing social discretion, and sanitizing devices upon return. - [The Five Steps of the OpSec Process](/opsec/principles/five-steps): 🔑 **Key Takeaway**: OpSec is built on five critical steps: identifying what needs protection, analyzing potential threats, assessing vulnerabilities, evaluating risks, and implementing appropriate countermeasures. - [Principles](/opsec/principles): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Principles & Concepts Overview](/opsec/principles/overview): Operational Security (OpSec) is built upon foundational principles and processes that help organizations protect sensitive information and critical assets. This section covers the essential concepts that form the basis of an effective operational security program. - [Operational Security Principles](/opsec/principles/principles): 🔑 **Key Takeaway**: Effective OpSec relies on five core principles: layered defenses, minimal access rights, need-to-know information sharing, system compartmentalization, and continuous monitoring—all working together to protect sensitive information from adversaries. - [Web3-Specific OpSec Considerations](/opsec/principles/web3-considerations): 🔑 **Key Takeaway**: Web3 environments require specialized security approaches that balance blockchain transparency with privacy, address immutability risks, manage self-custody responsibilities, secure decentralized operations, mitigate smart contract vulnerabilities, and navigate community-driven security challenges. - [Passwords](/opsec/passwords): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Password Management](/opsec/passwords/overview): Placeholder for Password Management content - [Core OpSec Principles](/opsec/old/core-opsec-principles): Operational security is built on fundamental principles that guide the implementation of security controls and practices. These principles provide a foundation for developing a comprehensive security posture that protects your organization's assets, operations, and reputation. - [Governance & Program Management](/opsec/old/governance-program-management): Effective operational security requires a structured approach to governance and program management. This section outlines how to establish and maintain security policies, roles, and responsibilities within your organization. - [Incident Response & Recovery](/opsec/old/incident-response-recovery): Even with strong security controls, incidents can occur. This section outlines how to prepare for, respond to, and recover from security incidents effectively. - [Old](/opsec/old): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Monitoring & Detection](/opsec/old/monitoring-detection): Effective security monitoring and detection are critical components of operational security. This section outlines approaches to implement monitoring systems that can identify security threats and anomalies in real-time. - [Operational Security](/opsec/old/overview): Operational security, often abbreviated as **OpSec** provides a range of practices and measures designed to safeguard an organization's sensitive information, assets, and operations from unauthorized access, espionage, disruption, or compromise. - [Risk Management](/opsec/old/risk-management-overview): 🔑 **Key takeaway**: Risk management transforms threat information into actionable priorities. It helps you determine which threats matter most, where to allocate resources, and how to make security trade-offs that align with business goals. - [Threat Modeling Overview](/opsec/old/threat-modeling-overview): 🔑 **Key takeaway**: Think of threat modeling as your security roadmap. It's how you understand what you need to protect, who might try to steal it, and how they might do it. From random hackers to state actors, knowing your potential attackers helps you build defenses that actually matter. It's about being smart with your security resources and focusing on what really needs protection. - [Web3 Specific Opsec](/opsec/old/web3-specific-opsec): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Web3-Specific Operational Security](/opsec/old/web3-specific-opsec/overview): Web3 introduces unique operational security challenges that require specialized approaches beyond traditional security measures. This section focuses on the specific security considerations for organizations operating in the blockchain and decentralized ecosystem. - [Risk Management](/opsec/old/risk-management): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Risk Management](/opsec/old/risk-management/overview): 🔑 **Key takeaway**: Risk management transforms threat information into actionable priorities. It helps you determine which threats matter most, where to allocate resources, and how to make security trade-offs that align with business goals. - [Risk assessment & prioritization](/opsec/old/risk-management/risk-assessment-prioritization) - [Trade-off analysis](/opsec/old/risk-management/trade-off-analysis) - [Physical Security](/opsec/old/physical-security): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Physical Security](/opsec/old/physical-security/overview): Physical security is an often overlooked but crucial aspect of operational security, especially for individuals and organizations involved in cryptocurrency. This section provides guidelines on how to protect yourself, your digital assets, and your organization from physical threats and attacks. - [Network Communication](/opsec/old/network-communication): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Network and Communication Security](/opsec/old/network-communication/overview): Securing your organization's networks and communication channels is crucial for protecting sensitive information, maintaining business operations, and preventing unauthorized access to resources. - [Telegram](/opsec/old/network-communication/telegram): Refer to Community Management's [Telegram section](/community-management/telegram) for more information. - [Wireless Security](/opsec/old/network-communication/wireless-security): Wireless networks offers convenience and flexibility. However, they also present unique security challenges. - [Alert Thresholds & Dashboards](/opsec/old/monitoring/alert-thresholds) - [Monitoring](/opsec/old/monitoring): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Log Management & SIEM](/opsec/old/monitoring/log-management) - [Countermeasure Selection & Implementation](/opsec/old/lifecycle/countermeasures) - [Identify Information & Assets](/opsec/old/lifecycle/identify) - [Lifecycle](/opsec/old/lifecycle): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [OpSec Lifecycle](/opsec/old/lifecycle/overview): The Operational Security Lifecycle provides a structured approach to implementing and maintaining security controls. This section outlines the key phases of this lifecycle and how they work together to create a comprehensive security program. - [Risk Assessment & Prioritization](/opsec/old/lifecycle/risk-prioritization) - [Threat Modeling & Analysis](/opsec/old/lifecycle/threat-modeling) - [Vulnerability Assessment](/opsec/old/lifecycle/vulnerability-assessment) - [Containment, Eradication & Recovery](/opsec/old/incident-response/containment-recovery) - [Incident Response](/opsec/old/incident-response): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Playbooks](/opsec/old/incident-response/playbooks) - [Detecting and Mitigating Insider Threats](/opsec/old/human-centered-security/detecting-and-mitigating-insider-threats): Insider threats, whether intentional or unintentional, pose a significant risk to any project. These threats can come from current or former employees, contractors, or business associates who have inside information concerning the project's security practices, data, and computer systems. Effective detection and mitigation strategies are crucial for safeguarding your project against these risks. - [Human Centered Security](/opsec/old/human-centered-security): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Human-Centered Security](/opsec/old/human-centered-security/overview): Security is not just about technology—it's about people. The human element is often the most vulnerable part of any security system, making human-centered security approaches essential for a robust operational security posture. - [Personal OpSec for Team Members](/opsec/old/human-centered-security/personal-opsec): Personal operational security (OpSec) extends beyond the workplace, encompassing practices that team members should implement in their personal lives to protect both themselves and organizational assets. This is particularly important in Web3 where the boundaries between personal and professional digital presence are often blurred. - [Social Engineering Defense](/opsec/old/human-centered-security/social-engineering-defense): Social engineering attacks target the human element of security by manipulating individuals into breaking security protocols, revealing sensitive information, or granting unauthorized access. Defending against these attacks requires a combination of awareness, training, and operational controls. - [Travel Security](/opsec/old/human-centered-security/travel-security): Team members traveling for business purposes face unique security risks that require specialized preparation and awareness. Effective travel security measures help protect both the individual and organizational assets during travel. - [Governance](/opsec/old/governance): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Security policies & roles](/opsec/old/governance/security-policies-roles) - [Third-party/vendor governance](/opsec/old/governance/third-party-vendor-governance) - [Digital Identity Access](/opsec/old/digital-identity-access): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Digital Identity and Access Management](/opsec/old/digital-identity-access/overview) - [Password/Secrets Management](/opsec/old/digital-identity-access/password-secrets-management): Effective management of passwords and cryptographic keys help maintain the security and integrity of digital assets and sensitive information. - [SIM Swapping](/opsec/old/digital-identity-access/sim-swapping): SIM swapping occurs when a threat actor trick a mobile phone provider into transferring a victim's phone number to a SIM card that the criminals control. This allows the criminals to intercept the victim's text messages and phone calls, including any two-factor authentication codes. With access to the victim's phone number, the criminals can then gain unauthorized access to the victim's accounts. - [Device Endpoint Security](/opsec/old/device-endpoint-security): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Device and Endpoint Security](/opsec/old/device-endpoint-security/overview): Securing the devices used by your organization is a critical component of operational security. Endpoints such as laptops, desktops, mobile devices, and servers are common entry points for attackers and require robust protection. - [Standard Operating Environment](/opsec/old/device-endpoint-security/standard-operating-environment): A Standard Operating Environment (SOE) refers to a standardized and controlled computing environment used across a project. It ensures that all devices and systems adhere to the same security policies, configurations, and software versions, thereby reducing vulnerabilities and simplifying management. - [Data Protection](/opsec/old/data-protection): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Data Protection](/opsec/old/data-protection/overview): Data is one of an organization's most valuable assets, and protecting it throughout its lifecycle is a critical component of operational security. - [Google Workspace Security](/opsec/old/cloud-third-party/g-suite-security): Google Workspace (formerly G Suite) is a powerful suite of productivity and collaboration tools widely used by projects. A lot of things may depend on Google Workspace, in which case it is important to consider the security of it. - [Cloud Third Party](/opsec/old/cloud-third-party): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Cloud and Third-Party Security](/opsec/old/cloud-third-party/overview): In today's interconnected digital ecosystem, organizations rely heavily on cloud services and third-party vendors to operate efficiently. However, these dependencies introduce security risks that must be carefully managed. - [Mfa](/opsec/mfa): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Multi-Factor Authentication](/opsec/mfa/overview): Placeholder for Multi-Factor Authentication content - [DevSecOps Integration](/opsec/integration/devsecops) - [Governance Alignment](/opsec/integration/governance) - [Integration](/opsec/integration): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Integration & Mapping to Other Frameworks](/opsec/integration/overview): Operational security does not exist in isolation but interacts with and complements other security frameworks and practices. This section outlines how to integrate OpSec with other security domains and frameworks. - [Privacy Framework Alignment](/opsec/integration/privacy) - [Improvement](/opsec/improvement): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Post-Mortem & Lessons Learned](/opsec/improvement/post-mortem) - [Security KPIs & Reporting](/opsec/improvement/security-kpis) - [Google](/opsec/google): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Google Security](/opsec/google/overview): 🔑 **Key Takeaway:** Enhance your Google account security by implementing robust 2FA, eliminating redundant recovery options, and diligently overseeing third-party access. - [Endpoint](/opsec/endpoint): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Endpoint Security](/opsec/endpoint/overview): Placeholder for Endpoint Security content - [Operational Implementation Process](/opsec/core-concepts/implementation-process): 🔑 **Key Takeaway**: Operational security is implemented through a practical five-phase process: critical asset identification, practical threat analysis, actionable vulnerability assessment, contextual risk evaluation, and targeted control deployment. - [Core Concepts](/opsec/core-concepts): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Security Fundamentals](/opsec/core-concepts/security-fundamentals): 🔑 **Key Takeaway**: Effective security operations are built on five practical fundamentals: layered protective measures, minimized access scopes, controlled information flows, system isolation, and continuous visibility — working together to secure critical assets in dynamic environments. - [Web3-Specific OpSec Considerations](/opsec/core-concepts/web3-considerations): 🔑 **Key Takeaway**: Web3 environments require specialized security approaches that balance blockchain transparency with privacy, address immutability risks, manage self-custody responsibilities, secure decentralized operations, mitigate smart contract vulnerabilities, and navigate community-driven security challenges. - [Control Domains](/opsec/control-domains): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Organizational Controls](/opsec/control-domains/organizational): Organizational controls form the foundation of an operational security program. These controls establish the governance structures, policies, and processes necessary to implement and maintain security throughout the organization. - [Control Domains](/opsec/control-domains/overview): Operational security controls are organized into domains that address different aspects of security. This section provides an overview of these domains and how they work together to create a comprehensive security posture. - [People & Personnel Controls](/opsec/control-domains/people): People are both the greatest asset and potentially the greatest vulnerability in any security program. This section outlines controls to mitigate human-related security risks while fostering a security-aware culture. - [Physical & Environmental Controls](/opsec/control-domains/physical-environmental): Physical security is a crucial component of operational security that is often overlooked in digital-focused organizations. This section covers controls to protect physical assets, secure workspaces, and address travel security concerns. - [Technical & Digital Controls](/opsec/control-domains/technical): Technical controls form the backbone of operational security, protecting systems, networks, and data from digital threats. This section outlines key technical controls that should be implemented as part of a comprehensive security program. - [Cryptocurrency-specific controls](/opsec/control-domains/technical/cryptocurrency-controls) - [Device hardening](/opsec/control-domains/technical/device-hardening) - [Encrypted storage & backups](/opsec/control-domains/technical/encrypted-storage-backups) - [Technical](/opsec/control-domains/technical): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Network & communication security](/opsec/control-domains/technical/network-communication-security) - [Two-factor & hardware authentication](/opsec/control-domains/technical/two-factor-hardware-auth) - [Physical Environmental](/opsec/control-domains/physical-environmental): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Secure workspace & travel security](/opsec/control-domains/physical-environmental/secure-workspace-travel) - [Tamper-evidence & "evil-maid"](/opsec/control-domains/physical-environmental/tamper-evidence) - [People](/opsec/control-domains/people): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Insider-threat mitigation](/opsec/control-domains/people/insider-threat-mitigation) - [Security training & culture](/opsec/control-domains/people/security-training-culture) - [Social-engineering defense](/opsec/control-domains/people/social-engineering-defense) - [Compliance & regulatory alignment](/opsec/control-domains/organizational/compliance-regulatory-alignment) - [Organizational](/opsec/control-domains/organizational): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Supply-chain security](/opsec/control-domains/organizational/supply-chain-security) - [Browser](/opsec/browser): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Browser Security](/opsec/browser/overview): Placeholder for Browser Security content - [Case Studies & Exercises](/opsec/appendices/case-studies): This section provides real-world case studies and tabletop exercises that organizations can use to learn from past incidents and test their security readiness. These examples illustrate common security challenges and effective response strategies. - [Glossary of Terms](/opsec/appendices/glossary): This glossary provides definitions for key terms used throughout the Operational Security framework. It includes both general security terminology and Web3-specific concepts to help ensure a common understanding of security concepts. - [Appendices](/opsec/appendices): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Appendices](/opsec/appendices/overview): The appendices provide additional resources, templates, and reference materials to support the implementation of operational security practices. These materials complement the guidance provided in the main framework sections. - [Policy & Template Library](/opsec/appendices/policies): This library provides templates and examples of security policies, procedures, and other documents that organizations can adapt to their specific needs. These templates serve as starting points for developing comprehensive security documentation. - [Backup Signing & Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure): If the default interfaces for either Safe or Squads are down or suspected of being compromised, these alternatives enable continued critical signing operations. As a signer, you should familiarize yourself with these tools and practice signing transactions with your team. - [Communication Setup](/multisig-for-protocols/communication-setup): Set up dedicated communication channel for multisig operations: - [Emergency Procedures](/multisig-for-protocols/emergency-procedures): When security incidents occur, quick and decisive action is critical. This page covers procedures for key compromise, lost access, and communication breaches. - [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup): **Ledger:** - [Implementation Checklist](/multisig-for-protocols/implementation-checklist): This checklist ensures all multisig participants have the knowledge and skills necessary for secure operations. Complete all applicable sections before beginning multisig operations. - [Incident Reporting](/multisig-for-protocols/incident-reporting): Key compromise or suspected compromise - [Multisig For Protocols](/multisig-for-protocols): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Joining a Multisig](/multisig-for-protocols/joining-a-multisig): It is recommended to always create a fresh address on a hardware wallet for each new multisig. - [Offboarding](/multisig-for-protocols/offboarding): When leaving a multisig, follow these steps: - [Multisig Security Framework](/multisig-for-protocols/overview): **Quick start**: New to multisigs? Start with the Foundation for the essentials, then jump to your role: - [Personal Security (OpSec)](/multisig-for-protocols/personal-security-opsec): 2FA enabled on all accounts (authenticator apps or hardware keys) - [Planning & Classification](/multisig-for-protocols/planning-and-classification): Before setting up a new multisig, take time to properly assess its role and requirements. This planning phase will guide all subsequent configuration decisions and help ensure appropriate security measures. - [Registration & Documentation](/multisig-for-protocols/registration-and-documentation): Proper documentation is essential for multisig security and accountability. This page covers the registration process and required documentation. - [Setup & Configuration](/multisig-for-protocols/setup-and-configuration): This page covers the technical deployment and configuration of multisigs on supported networks. - [Use Case Specific Requirements](/multisig-for-protocols/use-case-specific-requirements): **Allowance module** required for all multisigs (see [Modules & Guards](/multisig-for-protocols/setup-and-configuration#modules--guards)) - [Guidelines for On-Chain Monitoring](/monitoring/guidelines): Effective on-chain monitoring is complex, and involves setting up systems and processes to continuously observe blockchain activities and detect any anomalies. - [Monitoring](/monitoring): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Monitoring](/monitoring/overview): Monitoring is a crucial aspect of maintaining the security and integrity of a blockchain project. Effective monitoring allows you to detect anomalies and potential security breaches in real-time, enabling prompt response and mitigation. This section focuses on monitoring the on-chain security of a project, including guidelines for setting up monitoring systems, defining thresholds for alerts, and utilizing existing on-chain monitoring tools. - [Defining Thresholds for On-Chain Monitoring](/monitoring/thresholds): Setting appropriate thresholds for on-chain monitoring is hard when taking into account you want to detect unusual activities, without generating excessive false positives. Here are some guidelines for defining and configuring thresholds. - [How to Navigate the Website](/intro/how-to-navigate-the-website): Navigating the Security Frameworks by SEAL will be designed, in time, to be intuitive and user-friendly. We currently allow users to filter contents by role, but we're not quite there yet. Any feedback on how to improve the usage of frameworks in the future is appreciated. - [Intro](/intro): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Introduction to Frameworks](/intro/introduction): Welcome to the Security Frameworks by Security Alliance (SEAL), a curated resource for those seeking knowledge in the realm of blockchain security. Our organization, a collective of dedicated security specialists, is on a mission to spread awareness and educate the community about best practices and potential pitfalls in Web3 security. - [Overview of Each Framework](/intro/overview-of-each-framework): **Important Disclaimer**: The frameworks presented in this documentation are living documents that evolve with the Web3 security landscape. They may undergo restructuring, updates, or modifications in the future to reflect emerging threats, new best practices, and community feedback. We recommend regularly checking for updates to ensure you're working with the most current security guidelines. - [What Is It](/intro/what-is-it): This resource is a collection of best practices written in an abstract or general fashion to be applicable regardless of the specific technology. It serves as a comprehensive guide to help you secure various aspects of your Web3 projects and build resilience against potential threats. - [What It Isn't](/intro/what-it-isnt): This resource isn't just a compilation of existing information. While it may initially seem like a collection of curated content, its primary focus is on providing in-depth, practical guidance. - [Asset Inventory](/infrastructure/asset-inventory): An asset inventory means having information about everything related to your project, meaning for example contracts, hardware, software, cloud providers, dependencies and network components. This is important, as if you don't have awareness of your assets then how are you going to be able to protect them? - [Cloud Infrastructure](/infrastructure/cloud): Securing your cloud infrastructure could be considered as important as securing your decentralized application, as a lot of users will be interacting with your dapp through the cloud provider. Some best practices to consider are: - [DDoS Protection](/infrastructure/ddos-protection): Distributed Denial of Service (DDoS) attacks are a pervasive threat that can disrupt your services by overwhelming them with excessive traffic. - [Identity and Access Management](/infrastructure/identity-and-access-management): Right now, this subsection has an entire category of its own. Please refer to [Incident and Access Management (IAM)](/iam/access-management) - [Infrastructure](/infrastructure): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Network Security](/infrastructure/network-security): Network security is a very wide subject, and the steps you take are significantly dependent on if you're managing your own network, if you're utilizing a cloud provider, or if you're using a service provider. With that said, there are some general best practices to consider: - [Operating System Security](/infrastructure/operating-system-security): This document outlines some general best practices one should follow with regards to operating system security, however if you're interested in a much more comprehensive guide you could look at [NIST 800-123](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf). - [Infrastructure](/infrastructure/overview): Infrastructure can often be overlooked in web3, but it's often a very important area given that most front-end web applications are running on centralized infrastructure. This section focuses on Infrastructure Security, encompassing critical aspects such as cloud infrastructure, DNS providers, domain registrars, and DDoS (Distributed Denial of Service) protection. - [Zero-Trust Principles](/infrastructure/zero-trust-principles): The Zero-Trust security model assumes that threats can exist both inside and outside the network. It requires strict verification for every user and device attempting to access resources, regardless of their location. - [DNS Basics & Common Attacks](/infrastructure/domain-and-dns-security/dns-basics-and-attacks): When users type your domain, their request may traverse multiple trust points (flows vary by resolver caching, stub resolver config, and provider): - [DNSSEC, CAA, and Email Security](/infrastructure/domain-and-dns-security/dnssec-and-email): DNSSEC (DNS Security Extensions) provides cryptographic authentication of DNS responses, preventing attackers from redirecting your users to malicious sites by tampering with DNS queries. Think of it as a digital signature that proves the DNS response came from the legitimate source. - [Domain And Dns Security](/infrastructure/domain-and-dns-security): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Monitoring, Alerts, and Incident Response](/infrastructure/domain-and-dns-security/monitoring-and-alerting): DNS record monitoring involves continuously checking your domain's DNS records for unauthorized changes. Attackers often modify DNS records to redirect traffic to malicious servers while keeping your site partially functional. - [Domain & DNS Security — Overview](/infrastructure/domain-and-dns-security/overview): DNS (Domain Name System) is the backbone of the internet, translating domain names into IP addresses. In Web3, domain security is particularly critical as compromised domains can lead to irreversible financial losses through wallet drainers and phishing attacks. Unlike traditional web applications where stolen funds can sometimes be recovered, blockchain transactions are permanent. - [Registrar Security & Registry Locks](/infrastructure/domain-and-dns-security/registrar-and-locks): Your domain registrar is the company that manages your domain registration with the central registry. This is often the weakest link in domain security, as many registrars have poor security practices and are vulnerable to social engineering attacks. - [Communication Strategies](/incident-management/communication-strategies): Communication during an incident can be very hard, as people are often scrambling to fix the issue at hand. Nonetheless, from aa team member, outsider or observer's point of view, communication is very important to be able to understand what's happening, and it also provide some time to reflect and think about what is going on. With that said, providing information before confirming that it's accurate, can often be very negative and cause uncertainty. It is recommended to have a person designated for communication during an incident, and that updates are sent out on a fixed schedule, and it can often be that the update is that there is currently no new information available. - [Incident Detection and Response](/incident-management/incident-detection-and-response): You don't want to be that project which has funds stolen, and then don't notice it for multiple days. Early detection and effective response to security incidents will help minimize damage. - [Incident Management](/incident-management): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Lessons Learned](/incident-management/lessons-learned): Conducting a post-incident review and identifying lessons learned will improve your project's incident response capabilities. By analyzing what went well and what could be improved, you can enhance your readiness for future incidents. - [Incident Management](/incident-management/overview): Incident management involves preparing for, detecting, responding to, and recovering from security incidents. By thinking about incident management prior to actually experiencing an incident, you can help increase the likelihood of a timely recovery. - [Decentralized Incident Response Framework (DeIRF)](/incident-management/playbooks/decentralized-ir): A lightweight, end-to-end scaffold for security teams that work without a single authority. Use it as a menu, not a mandate. - [North Korea (DPRK) Attack](/incident-management/playbooks/hacked-dprk): If you’ve been sent this document, then we have very good reason to believe that you have been hacked by North Korea (DPRK). This document will give you some information about North Korea, why they’ve hacked you, and how they might’ve done it. - [Wallet Drainer Attack](/incident-management/playbooks/hacked-drainer): If you’ve been sent this document, then we believe that your funds have been stolen by a wallet drainer. This document will give you some information about drainers, how they work, and how you can protect yourself going forward. - [ELUSIVE COMET Attack](/incident-management/playbooks/hacked-elusive-comet): If you’ve been sent this, then we believe that you’ve been hacked by a threat actor we’ve identified as ELUSIVE COMET. This document will give you some information about drainers, how they work, and how you can protect yourself going forward. - [Playbooks](/incident-management/playbooks): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Malware Infection](/incident-management/playbooks/malware): This is a short guide prepared by SEAL that will help you navigate a malware infection. You have a limited amount of time to reduce the amount of damage that can be done to you. If you need help at any point, contact [**SEAL 911**](https://t.me/seal_911_bot) - [Playbooks](/incident-management/playbooks/overview): Generally speaking, incident response playbooks aim to provide detailed, step-by-step procedures for handling specific types of security incidents. Obviously, it's not possible to have thought about every possible scenario ahead of time, but one could create documentation for the most likely or devastating scenarios. - [SEAL 911](/incident-management/playbooks/seal-911-war-room-guidelines): SEAL 911 is a project designed to give users, developers, and even other security researchers an accessible method to contact a small group of highly trusted security researchers. The group can be reached via the [Telegram bot](https://t.me/seal_911_bot). - [Access Management Best Practices](/iam/access-management): Effective access management involves ensuring that users have the right access, at the right time, and that access is promptly revoked when no longer needed. Implementing access management practices helps prevent unauthorized access, and reduces the risk of insider threats. - [Iam](/iam): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Identity and Access Management (IAM)](/iam/overview): Identity and Access Management (IAM) is defined as managing who has access to your systems and data, and ensuring that access is secure and appropriate. Effective IAM practices help prevent unauthorized access, reduce the risk of insider threats, and ensure that users have the necessary access to perform their roles efficiently. - [Role-Based Access Control (RBAC)](/iam/role-based-access-control): Role-Based Access Control (RBAC) is a method of regulating access to systems and data based on the roles assigned to individual users within an project. RBAC ensures that users have the minimum access necessary to perform their job functions, reducing the risk of unauthorized access. - [Secure Authentication](/iam/secure-authentication): Secure authentication is essential for verifying the identity of team members and ensuring that only authorized individuals have access. By implementing strong authentication mechanisms you can protect your project against unauthorized access and lower the risk for potential security breaches. - [Compliance with Regulatory Requirements](/governance/compliance-regulatory-requirements): Compliance with regulatory requirements may be essential for your project. Understanding the needs and ensuring the necessary compliance helps protect your project from potential legal penalties. - [Best Practices for Regulatory Compliance in Terms of Security](/governance/compliance-regulatory-requirements): **GDPR (General Data Protection Regulation)**: Applies to organizations handling the personal data of EU citizens. It mandates strict data protection measures and grants individuals significant rights over their data, as soon on [https://gdpr.eu/](https://gdpr.eu/). - [Useful Resources](/governance/compliance-regulatory-requirements): **GDPR (General Data Protection Regulation)**: Applies to organizations handling the personal data of EU citizens. It mandates strict data protection measures and grants individuals significant rights over their data, as soon on [https://gdpr.eu/](https://gdpr.eu/). - [Governance](/governance): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Governance](/governance/overview): Good governance practices involve setting clear policies, establishing accountability, and continuously monitoring and improving security measures. This section provides some best practices and guidelines for how you could implement governance in your project. - [Risk Management](/governance/risk-management): If a project has effective risk management, it is also likely to be successful at identifying, assessing, and mitigating potential threats to the project. By utilizing risk management, you're likely to be able to prioritize security efforts and see where resources are needed. Risk management provides the capabilities to develop and implement strategies to mitigate identified risks by continuously monitoring the security landscape for new threats and vulnerabilities and then communicating risk findings and mitigation strategies to relevant people. - [Security Metrics and KPIs](/governance/security-metrics-kpis): Measuring security performance through metrics and Key Performance Indicators (KPIs) can be very useful for assessing the effectiveness of your security program, and can allow you to make informed decisions on what actions to take with regards to security. - [Common Vulnerabilities](/front-end-web-app/common-vulnerabilities): Understanding and mitigating common vulnerabilities is crucial for securing your web and mobile applications. Here are some frequently encountered vulnerabilities: - [Front End Web App](/front-end-web-app): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Mobile Application Security](/front-end-web-app/mobile-application-security): Mobile applications are increasingly used as front-ends for web3 protocols. As more projects are using mobile applications, it also becomes an increasing target for threat actors. Below, you can find some suggestions to help protect your mobile application: - [Front-End Web Application Security Best Practices](/front-end-web-app/overview): Often an overlooked area, but ensuring the security of your front-end web and potential mobile applications is crucial for protecting your users. If the front-end web application is compromised, it could have severe effects on your users as they for example could start interacting with a malicious contract instead of your official contract. - [Security Tools and Resources](/front-end-web-app/security-tools-resources): There is a very large amount of security tools and resources available, and sometimes it can feel overwhelming. - [Web Application Security](/front-end-web-app/web-application-security): Providing a secure front-end (web application) for users to interact with your web3 protocol is often essential. Web application vulnerabilities have however been exploited in the past to steal user funds, and as such it's important to take web application security into consideration for your project. - [External Security Reviews](/external-security-reviews): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [External Security Reviews](/external-security-reviews/overview): An external security review is a time-boxed, security-based assessment of software systems, applications, and infrastructure to enhance security and identify vulnerabilities. External security reviews are essential for organizations to protect against threats and build trust with users and stakeholders. - [Security Policies and Procedures](/external-security-reviews/security-policies-procedures): As part of the external security review, it could be beneficial to also review the internal security policies and procedures as well. Some of the things that could be relevant to review are: - [Expectations](/external-security-reviews/smart-contracts/expectation): The team looking for a security review will agree with the auditors/security researchers the exact parameters of the review. What *exact* contracts should they review? What should they not review? This is incredibly important so the can clearly estimate timelines on how long a review may take. This is also where compensation is discussed, usually the more aspects a team wants to review, the more expensive the audit will be. - [Smart Contracts](/external-security-reviews/smart-contracts): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Manual Review](/external-security-reviews/smart-contracts/manual-review): Manual review of a smart contract is the process of carefully examining the source code to identify potential vulnerabilities, logic errors, and design flaws. The approach to manual review can vary from person to person or team to team. This document outlines some of the possible things the process can comprise. - [Smart Contract Security Reviews](/external-security-reviews/smart-contracts/overview): Smart contract security reviews are specialized assessments focused on identifying vulnerabilities in blockchain-based smart contracts and protocols. These reviews are critical for web3 projects due to the immutable nature of blockchain deployments and the high-value targets that smart contracts often represent. - [Preparation](/external-security-reviews/smart-contracts/preparation): A common misconception is that when doing a security review, you can just hand off the written code and let reviewers do their work. This approach is inefficient and costly, as auditors will spend time on issues you could have resolved beforehand. Proper preparation maximizes the value of your security review investment and helps auditors focus on complex vulnerabilities rather than basic issues. - [Vendor Selection](/external-security-reviews/smart-contracts/vendor-selection): Choosing the right security vendor is crucial for getting maximum value from your security review. There are numerous security vendors in both the web3 and web2 ecosystems, each with different specializations and approaches. - [Audit the Auditors](/external-security-reviews/smart-contracts/vendor-selection): Confidential engagement with limited access to code - [Cross-Chain Compatibility](/ens/cross-chain-compatibility): Always use the correct cointype parameter when resolving addresses on specific chains - [Data Integrity & Verification](/ens/data-integrity-verification): Always resolve fresh data directly from Ethereum mainnet whenever conducting financial transactions - [Ens](/ens): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Interface Compliance](/ens/interface-compliance): Always check if a resolver supports your target interface using EIP-165 - [Name Handling & Normalization](/ens/name-handling-normalization): Always normalize ENS names before creating namehash, labelhash, or DNS-encoding - [ENS Best Practices](/ens/overview): 🔑 **Key Takeaway**: To securely implement ENS in your applications, prioritize direct L1 data verification, enforce proper name normalization, and validate bidirectional resolution. Always verify interface support before interaction, respect chain-specific cointype parameters, and implement [CCIP-Read](https://eips.ethereum.org/EIPS/eip-3668) functionality correctly. These practices prevent address spoofing, ensure cross-chain compatibility, and maintain data integrity throughout the ENS ecosystem. - [Smart Contract Integration](/ens/smart-contract-integration): Register ENS names for core contracts in your project's ecosystem - [Cloud Data Encryption](/encryption/cloud-data-encryption): You should consider using the best practices below, in order to ensure that data stored in the cloud is protected from unauthorized access: - [Secure Messaging Systems](/encryption/communication-encryption): Using secure messaging systems is crucial for protecting the privacy and integrity of your communications. Here are some popular messaging systems that offer end-to-end encryption and those that do not by default. - [Database Encryption](/encryption/database-encryption): Often, databases contains information that should not be publicly available. In order to protect your database, you may consider implementing the following best practices: - [Email Encryption](/encryption/email-encryption): Email is insecure and un-encrypted by default, but can become more secure by following best practices: - [Encryption in Transit](/encryption/encryption-in-transit): Encryption in transit means how data is being encrypted while it flows across networks. This is important as you don't want anyone eavesdropping on your traffic, and by following best practices such as the ones below, you can reduce the risk of that: - [File Encryption](/encryption/file-encryption): File encryption protects sensitive information stored in files. - [Full Disk Encryption](/encryption/full-disk-encryption): Full disk encryption protects all data stored on a device in the event that it's stolen or lost. Today, all major Operating Systems for workstations, servers and mobile phones have full disk encryption capabilities built in, and sometimes enabled by default. Check which full disk encryption is built into your operating system, and enable it if not enabled by default. - [Hardware Encryption](/encryption/hardware-encryption): Hardware encryption, such as HSM, uses dedicated hardware to encrypt data, providing robust security. Utilizing a HSM is a fairly specialized thing, but consumers are for example often using TPM. - [Encryption](/encryption): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Encryption](/encryption/overview): Encryption is a fundamental aspect of securing data, ensuring that sensitive information remains confidential and protected from unauthorized access. This section covers various types of encryption and best practices for implementing them effectively. - [Partition Encryption](/encryption/partition-encryption): Partition encryption is the process of encrypting specific partitions on a storage device. This allows for selective encryption of data, providing flexibility in managing encrypted and un-encrypted data on the same device. Unlike full disk encryption, which encrypts the entire disk, partition encryption targets specific areas, making it ideal for protecting sensitive data without impacting the entire storage system. - [Volume Encryption](/encryption/volume-encryption): Volume encryption is the process of encrypting a specific storage volume or partition to protect the data it contains. Unlike full disk encryption, which encrypts the entire disk, volume encryption allows for selective encryption of specific volumes, providing flexibility in managing encrypted and un-encrypted data on the same device. - [Case Studies](/dprk-it-workers/case-studies): Here are a few deviations from the usual DPRK IT Worker patterns. **As mentioned a few times already, the goal is to always be open-minded about threat actor tactics.** They are known to evolve and adapt while also pushing their methods further. The examples below are anonymized, but they are real cases we have encountered in the past: - [General Information](/dprk-it-workers/general-information): An insider threat refers to the risk posed by individuals within an organization who misuse their authorized access to compromise the organization's security. This misuse can involve malicious actions like data theft or sabotage, but also unintentional actions like negligence (e.g. ignoring security updates) or accidents (e.g. sending sensitive document to the wrong email address) leading to security breaches and/or data leaks. - [Dprk It Workers](/dprk-it-workers): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Mitigating DPRK IT Workers](/dprk-it-workers/mitigating-dprk-it-workers): This section discusses ways you can harden your organization against DPRK IT Workers, both before and after a potential hiring. All of the strategies covered in the prior section, [**Techniques, Tactics, and Procedures**](/dprk-it-workers/techniques-tactics-and-procedures), still apply but serve a more 'active' role to identify DPRK IT Workers during recruiting or within your organization. Here, we will discuss mitigation strategies that limit the effects of a DPRK IT Worker infiltration and what you should do after identifying a successful infiltration. - [Insider Threats (DPRK)](/dprk-it-workers/overview): This framework serves as an entry point to understanding the organizational and personal risks related to "Insider Threats," most commonly (though not exclusively) associated with "DPRK IT Workers" - the North Korean hacker-freelancers. This framework is targeted at projects affected by insider threat actors as well as projects wanting to harden their posture against these actors. - [Summary](/dprk-it-workers/summary): **Who are DPRK IT Workers?** They are North Korean individuals, often operating from abroad (primarily China and Russia), who use fraudulent identities to secure remote IT jobs. Their primary goal is to generate revenue for the North Korean regime, which may involve legitimate work but also opens the door to espionage, data theft, extortion, and future hacking activities. - [Techniques, Tactics, and Procedures](/dprk-it-workers/techniques-tactics-and-procedures): This section focuses on avoiding, discovering, and confirming the threat of DPRK IT Workers to your organization. The sections dedicated to answering the questions "Am I interviewing a DPRK IT Worker?" and "Did I hire a DPRK IT Worker?" are interchangeable and both provide strategy outlines for avoiding, discovering, and confirming DPRK-related insider threats. Your organization can use tips from these sections to identify a DPRK IT Worker before you hire them, as well as to identify them after you have made the mistake of hiring one. - [Code Signing](/devsecops/code-signing): Code signing ensures that the code has not been tampered with, and verifies the identity of the developer. Here are some best practices that could be followed: - [Continuous Integration and Continuous Deployment (CI/CD)](/devsecops/continuous-integration-continuous-deployment): Continuous Integration and Continuous Deployment are there to ensure good code quality and create rapid and secure deployments. Some best practices are: - [Devsecops](/devsecops): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Integrated Development Environments (IDEs)](/devsecops/integrated-development-environments): Integrated Development Environments (IDEs) are essential tools for developers, but they also need to be secured. Consider implementing the following best practices: - [DevSecOps](/devsecops/overview): Traditionally, rapid development and deployment is often prioritized at the expense of security considerations. This is generally speaking no different in web3, but it is important to take integrity, confidentiality, and availability into consideration too. To effectively address this without compromising on rapid development and deployment, it is essential to integrate security into the process, which is where devsecops comes into play. By implementing devsecops, projects can not only deploy faster, but also be more secure. - [Repository Hardening](/devsecops/repository-hardening): If a threat actor obtains access to your repository, it could have very severe consequences. In order to help avoid this, you could consider implementing the following best practices: - [Security Testing](/devsecops/security-testing): Security testing is a crucial part of the DevSecOps process, as it helps identify vulnerabilities early on so that they can be taken care of before they become an issue in production. - [Champions](/contribute/champions) - [Fixing unsigned commits](/contribute/contributing): The **main branch** powers the stable Frameworks website ([https://frameworks.securityalliance.org/](https://frameworks.securityalliance.org/)) with reviewed and finalized content. - [Contribute](/contribute): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Spotlight Zone](/contribute/spotlight-zone): This is the current list of individuals who have made substantial contributions to the project and deserve recognition. - [Stewardship](/contribute/stewards): A framework steward is the champion and caretaker for an individual security framework (most frameworks here -> [https://frameworks.securityalliance.org](https://frameworks.securityalliance.org) are currently available for adoption). This role goes beyond casual contribution. It's about taking ownership and helping guide the framework's development through community engagement. - [Config](/config): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Title of this Page](/config/template): Key Takeaway prompt: Without removing or modifying anything in the document, just after the heading, describe in a succint way (no more than 40 words), all the key points or tl;dr so that anyone can get a good grasp of the contents just by reading it. Don't add unnecessary sentences that sound like conclusions, like "By ensuring this..." "Doing all these...", "Having these security practinces...". Use the following format > 🔑 **Key Takeaway**: - [Using the Contributors Database](/config/using-contributors): This page demonstrates how to use the centralized contributors database. Instead of specifying all the contributor details in each file, you can now simply reference contributors by their ID. - [Discord Security](/community-management/discord): 🔑 **Key Takeaway for Discord:** To secure your Discord server, focus on implementing robust access controls and enforcing two-factor authentication for all administrators. Regularly audit roles and permissions, and maintain vigilant moderation. Educate your community about security best practices to prevent unauthorized access and protect against potential threats. - [Community Management](/community-management): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Community Management](/community-management/overview): Communities might be the key of many Web3 projects, but they also represent a significant security challenge. From casual users to top-level executives, everyone within an organization can be targeted by social engineering tactics across platforms like Telegram, Discord, X (formerly Twitter), Google, and more. When a community channel is compromised—whether by phishing, fraudulent links, or account takeovers—it can quickly become a vehicle for wider attacks, putting both users and organizational reputations at risk. - [Telegram Security](/community-management/telegram): 🔑 **Key Takeaway:** Stay vigilant with group chats on Telegram. Implement verification steps and secure communication practices to protect against sophisticated interception attacks. - [X (Twitter) Security](/community-management/twitter): 🔑 **Key Takeaway for Twitter (X):** To secure your Twitter account, prioritize using an authenticator app or security key over SMS-based 2FA, remove your phone number, and regularly review third-party app permissions. Ensure your recovery settings are robust and frequently monitor account activity to safeguard your online presence and maintain community trust. - [Certification Guidelines](/certs/certification-guidelines): This document provides guidelines for completing security certification questionnaires. It covers how to score individual control questions and when to pursue certification through self-assessment or third-party review. - [Certified Partners](/certs/certified-partners): SEAL Certifications is currently in the process of establishing our certified auditor partner program. We are actively seeking qualified auditing firms to become authorized certification issuers. - [Certified Protocols](/certs/certified-protocols): The following protocols have successfully completed SEAL certifications and received on-chain attestations via the Ethereum Attestation Service (EAS). For more details on each certification, click on the respective badges or view the relevant SFC document. - [Contributions](/certs/contributions): Like the rest of Frameworks, SEAL Certifications are open-source and accept contributions from the community. However, due to the nature of Certifications, contributions are subject to more stringent review and approval processes managed by Isaac, the initiative lead, and the other Certifications maintainers. - [Certs](/certs): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [SEAL Certification Framework](/certs/overview): SEAL Certifications is a certification framework developed by SEAL to provide standardized guidelines and evaluation criteria for assessing the security of DeFi protocols. SEAL Certifications provides targeted modular certifications (e.g., [Incident Response](/certs/sfc-incident-response.mdx), [Treasury Ops](/certs/sfc-treasury-ops.mdx)) that can independently validate specific aspects of a protocol's security posture. - [SFC - DNS Registrar](/certs/sfc-dns-registrar): The SEAL Framework Checklist (SFC) for DNS Registrar provides best practice for securely managing domain names and DNS configurations. - [SFC - Incident Response](/certs/sfc-incident-response): The SEAL Framework Checklist (SFC) for Incident Response provides structured guidelines to help remain prepared for security incidents affecting blockchain protocols. It covers team structure, monitoring, alerting, and response procedures. - [SFC - Multisig Operations](/certs/sfc-multisig-ops): The SEAL Framework Checklist (SFC) for Multisig Operations provides best practices for managing multisig wallets securely. It covers governance, risk management, signer security, operational procedures, and emergency operations. - [SFC - Treasury Operations](/certs/sfc-treasury-ops): The SEAL Framework Checklist (SFC) for Treasury Operations provides structured guidelines for securely managing and operating an organization's treasury covering governance, access control, transaction security, monitoring, and vendor management. - [SFC - Workspace Security](/certs/sfc-workspace-security): The SEAL Framework Checklist (SFC) for Workspace Security provides guidelines to help secure organizational workspaces covering device management, account security, communications, and training. - [1. Core Awareness Principles](/awareness/core-awareness-principles): 🔑 **Key Takeaway**: Security awareness is built on fundamental principles like threat recognition, risk assessment, and zero trust verification. These principles form the foundation of a security-conscious culture where every individual plays a vital role in protecting organizational assets. - [3. Cultivating a Security-Aware Mindset](/awareness/cultivating-a-security-aware-mindset): 🔑 **Key Takeaway**: Developing a security-aware mindset is about building habits that prioritize caution and verification. By questioning unusual requests, pausing before acting, and leveraging peer support, you transform security from a set of rules into an intuitive approach to daily interactions. - [Awareness](/awareness): *Note:* This page is auto-generated. Please use the sidebar to explore the docs instead of navigating directory paths directly. - [Security Awareness](/awareness/overview): **Key Takeaway** Stay vigilant, your awareness is your strongest defense against cyber threats. Recognizing red flags and questioning unexpected requests can prevent costly breaches. - [5. Resources & Further Reading](/awareness/resources-and-further-reading): 🔑 **Key Takeaway**: Expanding your security knowledge requires reliable resources and continuous engagement with the security community. By leveraging curated learning materials, self-assessment tools, and professional networks, you can deepen your expertise and stay ahead of emerging threats. - [4. Staying Informed & Continuous Learning](/awareness/staying-informed-and-continuous-learning): 🔑 **Key Takeaway**: Security is not a one-time achievement but an ongoing journey of learning and adaptation. By establishing regular training routines, staying current with emerging threats, and fostering a culture of continuous improvement, you ensure your security awareness remains effective against evolving challenges. - [2. Understanding Threat Vectors](/awareness/understanding-threat-vectors): 🔑 **Key Takeaway**: Understanding the various ways attackers can target you and your organization is essential for effective defense. By recognizing common attack patterns like phishing, social engineering, and emerging threats in digital spaces, you can better protect yourself and your team from potential security breaches.