A Taxonomy for Understanding the Security Technical Debts in Blockchain Based Systems

Blockchain is a disruptive technology intended at implementing secure decentralized distributed systems, in which transactional data can be shared, stored and verified by participants of a system using cryptographic and consensus mechanisms, elevating the need for a central authentication/verification authority. Contrary to the belief, blockchain-based systems are not inherently secure by design; it is crucial for security software engineers to be aware of the various blockchain specific architectural design decisions and choices and their consequences on the dependability of the software system. We argue that sub-optimal and ill-informed design decisions and choices of blockchain components and their configurations including smart contracts, key management, cryptographic and consensus mechanisms, on-chain vs. off chain storage choices can introduce security technical debt into the system. The technical debt metaphor can serve as a powerful tool for early, preventive and transparent evaluation of the security design of blockchain-based systems by making the potential security technical debt visible to security software engineers. We review the core architectural components of blockchain-based systems and we show how the ill-choice or sub-optimal design decisions and configuration of these components can manifest into security technical debt. We contribute to a taxonomy that classifies the blockchain specific design decisions and choices and we describe their connection to potential debts. The taxonomy can help architects of this category of systems avoid potential security risks by visualising the security technical debts and raising its visibility. We use examples from two case studies to discuss the taxonomy and its application.