Overview of Each Framework

Operations & StrategySecurity Specialist

Important Disclaimer: The frameworks presented in this documentation are living documents that evolve with the Web3 security landscape. They may undergo restructuring, updates, or modifications in the future to reflect emerging threats, new best practices, and community feedback. We recommend regularly checking for updates to ensure you're working with the most current security guidelines.

This document provides an overview of the various frameworks covered in the Security Frameworks by SEAL. Each framework addresses a specific aspect of Web3 security, providing best practices and guidelines to help secure your projects.

Community Management

This framework explores best practices for securing and managing online communities associated with Web3 projects, covering platforms like Discord, Twitter, Telegram, and Google. It focuses on establishing secure communication channels and community guidelines.

Go to the Community Management framework →

Awareness

This section covers strategies for fostering security awareness among team members and users of Web3 projects, including understanding threat vectors, cultivating a security-aware mindset, and staying informed about security developments.

Operational Security (OpSec)

This comprehensive framework addresses day-to-day security practices for Web3 teams, covering fundamentals, governance, risk management, control domains, lifecycle management, monitoring, incident response, and continuous improvement.

Explore the OpSec framework →

Wallet Security

This section delves into the crucial aspect of managing cryptographic keys in Web3 projects, discussing various wallet types (cold vs hot, custodial vs non-custodial), hardware wallets, signing schemes, and software wallets.

Go to the Wallet Security framework →

Multisig for Protocols

This comprehensive framework provides security guidelines for managing multisig wallets in protocols, covering planning and classification, setup and configuration, signer onboarding, hardware wallet setup, transaction verification, emergency procedures, and incident reporting.

External Security Reviews

This framework provides guidance on conducting and preparing for external security audits and reviews, including setting expectations, preparation, security policies, and vendor selection.

Explore the External Security Reviews framework →

Vulnerability Disclosure

This section discusses best practices for handling and disclosing vulnerabilities in Web3 projects, including establishing security contacts and managing bug bounty programs.

Go to the Vulnerability Disclosure framework →

Infrastructure

This section covers the fundamental aspects of securing the underlying infrastructure of Web3 projects, including asset inventory, cloud infrastructure, DDoS protection, DNS security, IAM, network security, and zero-trust principles.

Monitoring

This framework discusses the importance of continuous monitoring in Web3 projects, focusing on setting up effective monitoring systems and defining appropriate thresholds for alerts.

Explore the Monitoring framework →

Front-End/Web Application

This section addresses security considerations specific to the user-facing components of Web3 projects, including both web and mobile application security, common vulnerabilities, and security tools.

Go to the Front-End/Web Application framework →

Incident Management

This section outlines protocols for handling security incidents, including communication strategies, detection and response procedures, lessons learned, and playbooks, including specific guidelines for SEAL 911 War Room.

Threat Modeling

This framework provides guidance on creating and maintaining threat models, as well as identifying and mitigating potential threats to Web3 projects.

Explore the Threat Modeling framework →

Insider Threats (DPRK IT Workers)

This framework addresses the organizational and personal risks related to insider threats, most commonly associated with North Korean hacker-freelancers. It covers identifying, recognizing, and mitigating risks from insider threat actors, including hardening hiring processes and organizational defenses.

Go to the DPRK IT Workers framework →

Governance

This section covers best practices for implementing governance in Web3 projects, including setting clear policies, establishing accountability, compliance with regulatory requirements, risk management, and security metrics and KPIs.

DevSecOps

This framework focuses on integrating security practices into the development and operations processes, covering code signing, CI/CD, IDE security, repository hardening, and security testing.

Explore the DevSecOps framework →

Privacy

This section explores tools and practices for maintaining privacy in the Web3 ecosystem, including secure browsing, data removal, digital footprint management, encrypted communication, and privacy-focused operating systems.

Go to the Privacy framework →

Supply Chain

This framework addresses the security implications of dependencies and third-party components in Web3 projects, including dependency awareness and supply chain levels for software artifacts.

Security Automation

This framework focuses on using technology to perform security tasks with minimal human intervention, covering compliance checks, infrastructure as code, and threat detection and response to improve efficiency and reduce human error.

Explore the Security Automation framework →

Identity and Access Management (IAM)

This framework covers best practices for managing user identities and access control in Web3 projects, including role-based access control and secure authentication.

Go to the IAM framework →

Secure Software Development

This section focuses on integrating security practices throughout the software development lifecycle, including secure coding standards, code reviews, and secure design principles.

Security Testing

This framework explores various methods of testing Web3 projects for security vulnerabilities, including dynamic and static application security testing, fuzz testing, and security regression testing.

Explore the Security Testing framework →

ENS

This section covers Ethereum Name Service security considerations, including data integrity, cross-chain compatibility, smart contract integration, interface compliance, and name handling.

Go to the ENS framework →

Safe Harbor

This framework provides guidance on establishing safe harbor protocols for security researchers, including key terms, protocols, technical outlines, and whitehat guidelines.

Encryption

This comprehensive section covers various encryption methods and their applications in protecting data, including cloud data encryption, communication encryption, database encryption, and various types of storage encryption.

Explore the Encryption framework →

Treasury Operations

This section provides institutional-grade security frameworks for managing custodial treasury accounts and large cryptocurrency transfers, including account classification, registration documentation, enhanced controls, and transaction verification protocols.

Go to the Treasury Operations framework →

SEAL Certifications

This framework provides a certification system developed by SEAL with standardized guidelines and evaluation criteria for assessing the security of DeFi protocols. It includes modular certifications for specific areas such as DevOps & Infrastructure, DNS Security, Incident Response, Multisig Ops, Treasury Ops, and Workspace Security.