Security Update from the ooNodz Network
Security is one of the main concerns of Source Node, the ooNodz Network’s owner and maintainer.
As the network expands and new services are being launched, we thought it necessary to share our “security update” with you, to inform you of all the initiatives launched or underway on this critical and essential topic.
Audit
It’s essential for a web3 company to make a clear distinction between offchain and onchain security, and to treat them with the same rigor.
With regard to onchain security, we have already completed an audit of our Smart Contacts. The report has been made public, you can find it here.
With regard to the offchain scope, we have just completed a comprehensive security diagnosis, an approach proposed by Bpifrance, the French Public Investment Bank (the “Diag Cybersécurité”). This audit was carried out by Steef, a French audit service provider approved by Bpifrance.
Today, we’re proud to present the results, which are full of praise.
Our maturity analysis highlights full compliance on 73% of recommendations, with a short-term potential of 88% if accessible recommendations are implemented (the remaining 12% are mainly aimed at large companies, who need to manage large premises and a high number of human and material resources, which does not concern Source Node for now).
These ratings probably don’t mean much to you, but they’re particularly high for a company of any size, and even more remarkable for a young start-up.
“Source Node has great control over its information system and data. It’s rare to see a company reach 50% of recommendations; it’s even more satisfying to see a startup achieve such a high score.” — Quentin Bédéneau, Director, Steef
One of our strengths is to have integrated essential security topics into our development plan from the very first lines of code. Our CTO and co-founder, Romain Grenier, has extensive expertise in all aspects of security, thanks in part to his experience at the heart of operational IT security issues within the French Defense. So it was an obvious play for us, in a mission to offer our customers the best possible service right from the start.
We have implemented an end-to-end integrated approach to all our activities. Security is designed upstream (“security by design”), and attack scenarios are anticipated, with tests implemented, before working on application code (“security driven development”). Then we added the DevSecOps layer to all continuous integration and development processes.
“Most companies focus solely on customer perimeter security; it’s very satisfying to see that Source Node has mastered security across its entire Information System (internal and customer-side), by design.” — Amré Abou Ali, Consultant, Steef
It’s often said that the shoemaker’s son always goes barefoot, but that’s not the case with Source Node. Taking the risk of neglecting our internal infrastructure means taking the risk of ultimately compromising the infrastructure dedicated to our products, and therefore the service offered to our customers. As a direct consequence of our “security driven development” approach, we had to do a lot of work before we could even launch our first service.
We’re proud of what we’ve achieved so far, but what does it mean in concrete terms for you, the customer? Well, among others:
- Better availability of your validator node(s), and a protection against DDOS attacks and malicious takeover of your node.
- 24/7 monitoring and incident response, with increased monitoring of all network components to respond rapidly to any security event.
- Good patch management, to secure the server and its tools, but also to rapidly track changes in the supported network (Avalanche for now).
These efforts are essential if we are to sustain optimal, scalable support for all our users over time, in the context of exponential development of Subnets. And getting such a good feedback from leading players in the field gives us even greater motivation to accelerate the development of new services that are ever more secure, accessible and easy to use.
Going Further
We’re up to date with the world’s most recognized standards.
As a French company, we strive to comply with ANSSI standards. Our latest audit confirms this, as it is based on these standards.
But as our activities are global, it goes without saying that we also strive to comply with SOC2 standards, which are recognized worldwide.
In the wake of our audit, and as we move forward with our development, we’re preparing for ISO 27001 certification.
As you’ll know if you’ve already studied for, it’s a very onerous process for a company, commensurate with the label’s worldwide renown.
We were already aware of the certification requirements from the outset, and actively adopted the standards as we went along, in anticipation of the certification process being launched. To the point where we can now say that we are operationally ready. We still have the whole administrative side of certification to tackle.
Stay tuned!
Join the ooNodz Network: Website | App | Discord | Telegram | Twitter
About Source Node
Source Node is a French engineering company redefining the way we access distributed infrastructure. We offer IT and advisory services to blockchain operators (individuals and businesses) as well as to companies and institutions wishing to launch new web3 use cases.
