7Block Labs’ DevSecOps Methodology for Blockchain Projects

At 7Block Labs, we really believe in taking a strong, smart approach to blockchain projects. That’s where our DevSecOps methodology comes into play! This strategy blends development, security, and operations into a seamless workflow that’s specifically tailored to address the unique challenges posed by blockchain technology. Let's take a closer look at how we make this happen.

Why DevSecOps?

In the whirlwind world of blockchain, we totally get that security isn’t something you just tack on at the end. It’s actually woven into everything from the very beginning. With our DevSecOps approach, we make sure that security is integrated into every single step of the process. This way, you get a solid solution without all the usual hassle.

Key Elements of Our Methodology

Let me give you a quick overview of the key parts that form our DevSecOps approach:

1. Collaboration: We kick things off by bringing our development, security, and operations teams together from day one. This way, we keep the lines of communication wide open! 2. Automation: When we automate tasks, we not only cut down on mistakes that people might make, but we also make everything run a lot faster. This lets us put our energy into more strategic tasks. 3. Continuous Monitoring: We’re always watching, day and night--24/7! This helps us spot any issues right away and tackle them before they turn into bigger problems. 4. Compliance Integration: Keeping up with regulations doesn't have to feel like a drag. We weave it into our development process. 5. Risk Management: We're always on the lookout for risks, making sure we spot any vulnerabilities before they become a problem. It’s all about staying one step ahead! 6. Feedback Loops: Honestly, getting feedback is super important. We set up feedback loops that help us keep getting better as we learn new things during the project. 7. Cultural Shift: We’re all about creating a culture where security comes first. We really want everyone to feel like they own their role in this process, so we encourage everyone to step up and take responsibility.

How We Implement This Methodology

We're all about taking real, practical steps here. Let me share how we bring our DevSecOps approach to life.

• Planning: We start by laying down our goals and figuring out what security measures we need for the blockchain project. It’s all about making sure everything is set up just right from the get-go!
• Development: Our crew is all about writing code that’s not just clean, but also secure. We make sure to stay on top of the latest best practices, too!
• Testing: We make sure to conduct comprehensive security checks and tests at various stages during the development process, rather than just saving it for the end.
• Deployment: When it’s finally launch time, we’ve got some solid protocols ready to make sure everything runs smoothly.
• Maintenance: Once we launch, we're not simply going to disappear. We're keeping a close eye on the system and making sure everything runs smoothly, so we're all set to jump in and fix any problems that come up.

Conclusion

Using our DevSecOps approach, we’re here to guide our clients through the tricky world of blockchain, all while keeping security front and center. Hey there! If you're thinking about jumping into a blockchain project, we've got your back and are ready to help you out every step of the way. Curious to discover more? Swing by our website at 7Block Labs for all the details! We’ve got lots of great info waiting for you!

The Specific Headache You’re Likely Living With

Hey there! So, your SOC 2 Type II deadline is just around the corner--only 90 days left! I know it can feel like you’re on a wild goose chase trying to gather all that evidence for change control, SDLC gates, and supplier risk. Scouring through Jira, GitHub, and Slack for it all is like trying to find a needle in a haystack, right? It can be super frustrating! I totally get how frustrating it is to see how delicate audit-readiness can be. It feels like it’s putting the brakes on every release, doesn’t it?

• So, those GitOps pipelines that have "with secrets in repo" written all over them? Yeah, that's a major no-go for your InfoSec team. They won't be having any of that! Looks like OIDC federation isn't set up yet, and you're missing those important Cosign attestations and provenance information. Not a good look!. Hey there! So, your Solidity pipelines might be cruising through those unit tests, but here's the catch: they're missing some pretty important checks. Stuff like invariants, making sure your proxy upgrades are safe, and keeping an eye on storage layout changes are all things that shouldn't be overlooked. Oh, and we can’t ignore those ZK circuits that come with some sneaky assumptions! You know, like those unchecked copy constraints and those pesky missing checks in shuffle arguments. It’s funny how formal tools usually miss these details until it’s way past the point of no return. How's this going to affect your business? Honestly, it's a bit of a disaster. We're dealing with hold-ups on go-lives, emergency meetings to shake things up, and vendors and insurers hiking those risk premiums like it's going out of style.

What this risks (in schedule and dollars)

• Hack and fraud exposure is still a major concern: Just in 2024, we're looking at an astounding $2 billion. Looks like 2B was taken off those crypto platforms, and honestly, it seems like 2025 is gearing up to break that record. Much of this can be credited to some pretty clever bad actors out there, like those North Korean hackers we often hear about. This really comes down to the reality that a lot of companies are still having a tough time with secure delivery and getting their upgrade controls right. (chainalysis.com).
• **U.S. Let's talk about breach economics - they can be pretty harsh! According to IBM's report from 2025, the average cost of a data breach in the U.S. is quite eye-opening. is sitting at $10. 22M. Oh, and it’s worth mentioning that most organizations take more than 100 days to get back on their feet. Your CFO is probably not going to be thrilled about just brushing that off as “the cost of innovation.” ” (bakerdonelson.com).
• Procurement delays are slowing us down: GRC teams are really raising the bar these days! They're now counting on things like an SSDF-aligned SDLC and SBOMs to be included as standard. If you don’t have things sorted out, you could end up with a backlog of vendor risk reviews (VRR) and redlines. This can really slow down the signature process and may even push your launches into the next fiscal year. Not ideal, right? NIST SSDF v1. It's pretty obvious that we need to weave secure practices straight into the Software Development Life Cycle (SDLC). Meanwhile, auditors are hard at work making sure that SOC 2’s Trust Services Criteria line up with the NIST frameworks. (csrc.nist.gov).
• Missed delivery goals create a ripple effect: DORA's updates for 2024 really highlight five important metrics, like throughput and stability. Teams that really dive into DevSecOps tend to see some pretty impressive boosts in a few key areas. They're not just speeding up their lead time but also deploying more frequently. Plus, they get back on track quicker when things go wrong and experience fewer hiccups with changes. On the other hand, those who fall behind often find themselves dealing with rework, outages, and a big hit to the trust of their stakeholders. It's a tough spot to be in! (dora.dev).

7Block Labs’ “Technical but Pragmatic” DevSecOps for Blockchain

When it comes to bringing DevSecOps into the blockchain scene, 7Block Labs keeps it simple and effective. Their approach is all about striking that perfect balance--making things work smoothly without getting too complicated. Their approach, which they call "Technical but Pragmatic," strikes a great balance between diving deep into the nitty-gritty of development and actually meeting the practical needs of businesses out there in the real world.

Key Aspects of 7Block Labs' Approach:

• Security Comes First: When it comes to security, we don’t just slap it on at the end. It’s woven into everything we do from the very start. In other words, it’s all about using the right tools and best practices to spot any weaknesses before they become a problem.
• Collaboration: Our team really values working together. Developers, security experts, and operations folks all join forces to make sure everything flows smoothly. When everyone’s on the same wavelength, it really helps us create better end products.
• Agility: They’re really good at rolling with the punches and adjusting to changes on the fly. The blockchain world is constantly changing, and at 7Block Labs, we make it a point to keep our approach fresh and adaptable.
• Always Learning: The team picks up something new with every project we tackle, thanks to our constant feedback. This really helps us all stay on our game and keep our skills fresh.

Why This Matters:

In the fast-paced world of blockchain, a strong DevSecOps strategy can really make or break your project. It's all about staying ahead in a field that's constantly changing! At 7Block Labs, we’re all about helping businesses get the tools and mindset they need to not just keep pace, but really shine.

If you want to dive deeper into what they offer and how they do things, just head over to their website.

We bring together Solidity and ZK rigor with a focus on enterprise procurement and maximizing ROI. Our approach is straightforward, super easy to check, and really quick to get up and running.

Governance & Auditability First (SOC 2 | ISO 27001 | SSDF)

First things first, make sure your Software Development Life Cycle (SDLC) is in sync with the NIST Secure Software Development Framework (SSDF) version 1. It’s a smart move that’ll help guide your processes and boost your project’s security right from the get-go. 1 controls. Basically, it's all about putting together those handy control-to-evidence matrices that really simplify things for auditors. When you’re diving into evidence sources, consider things like GitHub checks, artifact attestations, software bill of materials (SBOMs), change approvals, and deployment logs. These tools really help you keep track of everything happening in your projects. For more info, feel free to check this out: (csrc.nist.gov).

Alright, let’s dive into how the SOC 2 Trust Services Criteria--basically, that’s all about Security, plus the optional aspects of Availability, Confidentiality, and Privacy--ties in with your SSDF artifacts. This nifty little trick can really make auditor walkthroughs smoother and speed up that procurement VRR process! Hey there! It might be a good idea to put together an “auditor’s binder” that clearly links back to the TSC points of focus. And remember, those updates from 2022 are super important, so make sure to include them! If you want to explore this topic a bit more, check out this link: aicpa-cima.com. It's a great resource for diving in!

Supply Chain Hardening and Provenance (SLSA L3 Targets)

We're supercharging GitHub Actions with OIDC federation for AWS, Azure, and GCP! This is exciting news because it means we can finally say goodbye to those pesky static cloud keys just lingering around. We're all about sticking to the least privilege principle around here. That means we're using claims-bound roles and making sure to block any deployments that haven't been properly verified. Check it out here.

Hey there! Just a heads up: when you're building artifacts like containers, CLIs, WASM, and circuit binaries, you definitely want to use Sigstore Cosign for signing them. It's a good way to keep everything secure and ensure authenticity! Make sure to keep those signatures and certificate chains locked up tight, and don’t forget to verify them when someone comes on board. If you want to dive deeper into the details, just check out this doc.

Alright, let’s get started on generating some SLSA provenance and shoot for Build Level 3. We’ll be using those hosted hardened builders to make it happen! This really provides us with some great tamper protection. If you want to dive deeper into it, check out slsa.dev. There’s a lot of great info there!

We're going to whip up a Software Bill of Materials (SBOM) right off the bat using either Syft or CycloneDX. Plus, we’ll throw in OpenSSF Scorecard into our CI pipeline to keep tabs on how we're doing with our dependencies. Sound good? On top of that, we're going to share score trends at the organizational level to keep things transparent--because honestly, who doesn't enjoy tracking progress? If you want to dive deeper into this, you can find more details here.

Alright, so here's the plan for keeping our secrets safe: let's turn on GitHub push protection for the whole organization. It’s also a good idea to set things up so we need delegated bypass approval too. This way, we can keep everything secure while still having a bit of flexibility when we need it! This addresses a common issue you might find in SOC 2 audits and really helps cut down on those pesky credential leaks over time. Learn more here.

3) Solidity: Security as a Quality Gate

Let's start with some unit, fuzz, and invariant testing using Foundry--you know, the forge tool. We always keep a close watch on our coverage and invariant budgets, making sure we're sticking to them. Plus, we monitor the median and mean gas costs (you know, those "~" and "μ" symbols) during our fuzz runs. This helps us spot any potential gas issues that could affect our L2 spending. If you want to dive deeper into this topic, head over to learnblockchain.cn. You'll find some great info there!

When it comes to property and invariant fuzzing, we like to use Echidna. We make sure to encode protocol invariants, like checking that totalAssets matches up with the sum of balances for ERC‑4626. Plus, we keep any minimized counterexamples handy for easier troubleshooting down the line. If you're interested, check out this GitHub page. It might have some cool stuff for you!

• Next up, we've got static and symbolic analysis, and that's where tools like Slither and Mythril really shine. We always make sure to fail builds whenever we come across any major problems. This includes things like storage collisions, issues with tx-origin authentication, or uninitialized variables, as well as those high-confidence SWCs. It's a way for us to keep everything running smoothly and avoid any nasty surprises down the line! If you're looking to explore Slither a bit more, check it out on GitHub!

When it comes to keeping our upgrades safe, we lean on OpenZeppelin’s UUPS and Transparent proxy validations. We also use storage layout diffing and roll out guarded upgrades with role-bound _authorizeUpgrade. It’s all about making sure we’re secure while still being able to improve! We make it a point to have different people handling proxy admin roles, and we rely on timelocks to avoid the usual pitfalls that come with UUPS misconfigurations. If you want to dive deeper, check out the OpenZeppelin docs for more info. They've got all the details you need!

• Lastly, when it comes to the specifics of ERC‑4626, we're really putting our efforts into protecting against inflation attacks. We're also looking closely at those tricky edge cases that come up with deposits and redemptions, all while keeping in mind how price oracles actually behave in real life. For more details, check out the OpenZeppelin docs. It's a great resource!

4) Zero‑Knowledge (Noir, Circom, Halo2): Constraint Soundness as an SLO

• Circuit QA Gates: Kickstart your unit tests with Noir's Nargo! Trust me, those fuzz and differential tests are super important for spotting those tricky over and under-constraints that can sneak up on you. Take a look at this link: (noir-lang.org). You’ll find some really cool info there! Hey! Just a quick tip about using Circom: make sure to play it safe with your coding. Try to steer clear of using <--/--> unless you’re specifically connecting constraints with ===. It’ll help keep everything running smoothly! And hey, make sure to run those linters and under-constraint checkers too! They'll help things go a lot smoother. More details here: (docs.circom.io). For Halo2, don’t forget to run those circuit reviews! Double-check those gate and region assumptions. It's super important to keep an eye on lookup and permutation constraints, plus those blinding rows. And let’s make sure we’re sticking to a reproducible “k” size and using the right multicore settings to get those builds running smoothly. Learn more here: (learn.zkpunk.pro). Make the most of static analyzers and research tools by adding AC4 (algebraic checker) style passes. This will help you catch any under or over-constraints that might be lurking in your code. And hey, make sure you check out those pipelining fuzzing techniques, like the Circuzz approach! They’re a great way to really push ZK compilers and transpilers to their limits. You won’t want to miss it! Dive deeper here: (arxiv.org).
• Formal Methods That Matter: Make sure you highlight those key invariants, like conservation and no-steal, and then back them up on the EVM side using Certora Prover. It's super important to get that proof in there! It’s really crucial to link your ZK verifier contracts to properties that have been formally proven. If you want to dive deeper, just take a look at this link: docs.certora.com.
• Trusted Setup Governance (If Needed): If you're using KZG commitments, don't forget to keep track of where your SRS comes from, like the details of Ethereum's KZG ceremony scale and that 1-of-N assumption. It's also a good idea to switch up those parameters for some domain separation. Oh, and make sure to double-check those subgroup checks for the pairing points, okay? Check this out: (blog.ethereum.org). It's got some great info!

5) Runtime Controls, Rollback, and Observability

Before you roll everything out, don’t forget to set up a "kill switch." It’s a lifesaver if things go sideways. Also, prepare some runbooks that explain how to pause everything smoothly. Keep an eye on the drift monitoring for proxy admin and implementation slots, too. And definitely make sure you get alerts for any unauthorized writes to storage--better safe than sorry!

• Keep an eye on chain health using SLOs: Make sure to track those L2 finality windows, watch out for any reorg activity, and don’t forget to maintain a reliable RPC quorum. Just a quick reminder to set up those automated alerts for any gas budget regressions in the circuit verifier. It’ll help keep things running smoothly!
• Make sure to keep a solid record by creating unchangeable logs for things like change approvals, attestations, and test artifacts. Just a heads up--let’s make sure everything’s tied to those SOC 2 criteria. This way, we can keep things organized and make it super easy for the auditors when they come around. (aicpa-cima.com).

How This Translates Into Business Outcomes (ROI, Procurement, Delivery)

• Quicker Security Approvals: Since we started syncing our pipelines with the SSDF standards and made sure we have trustworthy SLSA provenance, solid SBOMs, and OIDC deployments without secrets, it's been a game changer. We've noticed a significant decrease in the endless back-and-forth that typically comes with procurement security questionnaires and SOC 2 evidence reviews. It's definitely made the process smoother! This means you'll get approvals faster and deal with way less hassle overall!
• Reduced Change Failures and Quicker Recovery: With DORA’s five-metric model in play, we’re really getting a handle on things. It helps us see the difference between our throughput and instability, and as a result, the strategies we have in place are helping us cut down on change failure rates and bounce back faster when things go wrong. This basically means we can introduce new features more quickly, all while keeping things stable and reliable. If you're interested in digging a bit deeper into the metrics, just head over to this link: (dora.dev). You'll find some great info there!
• Cutting Down on Material Risks: As incident costs are climbing in the U.S. By moving away from storing credentials in repositories and opting for OIDC, along with signed provenance and enforced gates, we really cut down on the chances of breaches happening. Plus, if something does go wrong, it helps to keep the fallout to a minimum. Making this shift can definitely help take a load off the CFO's shoulders when it comes to worrying about those worst-case scenarios. If you're curious to dive deeper into this topic, check out this article: (bakerdonelson.com). It’s packed with some really useful insights!

Implementation Blueprint (90-Day Pilot)

Overview

We're excited to launch a 90-day pilot program where we'll be trying out some fresh strategies! It's not just about ticking off a to-do list; it’s really about diving into what we can achieve and actually making some real strides forward.

Goals

So, here are the key goals we’re aiming to hit during this pilot:

1. Try Out Some New Strategies: How about we take a leap and test out some fresh ideas? It’ll be exciting to see how they turn out!

2. Let's Get Your Thoughts: We really want to hear from everyone involved to ensure we're headed in the right direction. Your feedback is super important!

3. Measure Impact: It’s super important to take a step back and see how these strategies are affecting our overall goals.

Timeline

To help us stay organized, we’ve divided the pilot into distinct phases:

• Weeks 1-3: Getting everything in place and sorting out the details. Let's gather all the resources we need.
• Weeks 4-6: Implementation. Let’s kick things off and put those strategies into action!
• Weeks 7-9: Monitoring. Take some time to gather data and feedback so you can get a good sense of how everything's going.
• Week 10-12: Evaluation. Take a good look at everything and figure out what we should do next.

Resources Needed

To make this pilot really work, we’re going to need a handful of things:

• Team Members: Gather a dedicated group of folks who are all in for the pilot project.
• Budget: Make sure to get the funds you need for the right resources and tools.
• Tools: Let’s figure out which software or platforms we’ll be using.

Success Metrics

To keep an eye on how we're doing, we’ll be checking out:

• Engagement Rates: Make sure to monitor how many folks are getting involved.
• Performance Data: Let’s dive into the results and see how they stack up against the KPIs we set earlier.
• Feedback: Let's collect some valuable insights from participants by using surveys and interviews.

Next Steps

Are you all set to jump in? Here’s what you should do next:

• Plan a Kickoff Meeting: Let’s get everyone together to chat about the plan and lay out what we’ll be doing moving forward.
• Assign Roles: It's super important that everyone is clear on what their job is. Make sure they know their responsibilities inside and out!
• Get Your Communication Channels Going: Consider tools like Slack or Microsoft Teams to help keep everyone in the loop and connected.

Let’s get pumped about this pilot and team up to make it a hit!

Weeks 0-2: Baseline and Control Mapping

Alright, let’s kick things off by aligning SOC 2 TSC with SSDF. We’ll check out where our evidence is coming from and tackle any gaps we come across as we go. Let’s also get our DORA baseline sorted out. This means we’ll be looking at a few key metrics: lead time, how often we deploy, the time it takes to recover from failed deployments, the percentage of failed changes, and the amount of rework needed after a deployment. Take a look at it over at dora.dev! You might find it pretty interesting!

Weeks 2-4: CI/CD Hardening and Provenance

First things first, let’s get GitHub push protection up and running for the entire organization. It's a great way to keep everything secure from the get-go! Alright, so the next step is to set up OIDC federation for your cloud accounts and your artifact registries. And hey, make sure to enforce Cosign verification when you're deploying things. It’s super important! (Learn more here).

Alright, for the next step, let’s go ahead and toss in some SLSA attestations and whip up SBOMs right in the pipelines! Hey, if you’re curious, you can find all the details right here: Check it out!.

Weeks 4-8: Solidity and ZK Gates

Alright, let’s get started by adding those Foundry fuzz and invariant suites! We’ll also throw in some Echidna campaigns and set up Slither/Mythril to run checks on PRs with certain severity thresholds. Sounds like a solid plan, right? Looking to explore further? Take a look at this awesome guide: Foundry Fuzz Testing. It's packed with helpful info!

Alright, so next on our list is to throw in some ZK constraint checks. This will cover things like Noir tests, Circom assignment rules, and those Halo2 region checks.
We'll give an algebraic checker pass a shot and see how our circuit coverage metrics stack up. If you're looking for more details, feel free to check out the Noir Lang Quick Start page. You'll find plenty of helpful info there!

Weeks 8-10: Upgrade Controls and Runtime Readiness

We're busy putting together some proxy safety runbooks for UUPS and Transparent. On top of that, we're also setting up storage-layout diffing in CI. And don’t forget, we’re getting into the nitty-gritty of designing timelocks and figuring out the multi-sig roles. It's a lot, but we're on it! If you're looking for more info, just check it out here.

• When it comes to observability, we’re rolling out on-chain event monitors, keeping tabs on verifier gas budgets, and just generally watching how admin slots are being used.

Weeks 10-12: Getting Audit-Ready and Aligning GTM

• Gather all the necessary documents for the SOC 2 and ISO 27001 evidence bundle. This covers everything you need, including policies, CI logs, attestations, SBOMs, the risk register, DR test logs, change tickets, and those KPI deltas that match up with the TSC focus areas. For more info, just head over to this link. You'll find all the details you need! Hey team, let's take a moment to go over the KPI trendlines and chat about what we need to do next for governance. Let's set up a monthly security council to keep track of any changes and review things regularly. This way, we can stay on top of everything and make sure we’re always in the loop!

Tokenized Real-World Assets with Quarterly NAV

So, here’s the scoop: an enterprise asset manager has just launched an ERC-4626 vault. It’s pretty cool because it comes with an oracle-based NAV and regular rebases, which is a mouthful but super useful. Plus, everything is seamlessly integrated into SAP, making settlements a breeze!

• DevSecOps Specifics: We're using Foundry's invariants to keep everything in check. That means we’re making sure that totalAssets match up with the total of user balances, putting limits on fees, and keeping a lid on how stale the oracle data can get. On top of that, Echidna steps in to create those trimmed-down failure traces when things don’t go as planned. (learnblockchain.cn). Hey there! Just a quick heads up: the slither detectors are now in “fail build” mode. This means they'll flag any upgrade storage collisions right away. We've set up some security measures for UUPS upgrades by adding a timelock and multi-signature checks. Plus, we've made sure that the storage layout is solid before moving forward. (github.com). So, we’ve set up GitHub OIDC for accessing the cloud, and we’re rolling with Cosign-signed images. This way, we’re all about hitting that SLSA Level 3 provenance. Basically, nothing gets deployed unless we’ve got that verified attestation in hand. Safety first, right? (github.com).
• Services Leveraged:
  • Asset Tokenization Check out our Asset Management Platform Development services. We’ve got a solid approach to help you manage your assets effectively!
  • Smart Contract Development
  • Blockchain Integration

ZK Compliance Proofs for Invoice Financing (Halo2/Noir)

Context

We’ve got to share the “paid-status without amounts” with our partners. To do this, we’ll double-check that the proofs are verified on-chain before we go ahead and release any funds.

DevSecOps Specifics

Alright, so we're jumping into some Noir unit tests and doing a few differential checks against a reference implementation. Let's see how it all stacks up! We're also keeping a close watch on the Halo2 region discipline, especially when it comes to things like copy/lookup constraints and blinding rows.
We're going to run some AC4-style algebraic checks to spot any under-constraints before we dive into the code review. It’s a good way to make sure everything's in order! For more info, check out noir-lang.org. It's got all the details you need! We're setting up a gas budget alert system for verifiers to make sure everything runs smoothly. We’ll also make sure to document and sign off on the KZG SRS provenance as part of the release process. It’s important to keep a clear record of that! If you’re looking for more info, definitely take a peek at zkdocs.com. They’ve got some really helpful insights!

Services Leveraged

• Web3 development services
• Blockchain development services
• Security audit services

Cross‑Chain Reporting with Upgradeable Proxies

Context

When it comes to juggling multi-chain deployments, businesses are really on the lookout for a reliable way to keep everything in check. They’re really looking for a functional kill-switch that they can actually rely on. Plus, they want clear Service Level Agreements (SLAs) that lay out what’s expected when it comes to operations--especially regarding how they gather Layer 2 usage for their internal billing.

DevSecOps Specifics

To bring all this to life, we’ve got a couple of tried-and-true strategies we lean on:

Hey there! So, we're rolling with the OpenZeppelin Upgrades Plugins workflow. It’s pretty neat because it helps us with storage diffing and gives us those helpful UUPS guardrails too. We're rolling out beacon proxies to make it easier to do atomic upgrades across different instances. On top of that, we take a Defender-style approach to our staged proposals, which really simplifies the approval process. If you want to get into the nitty-gritty, just click here for all the details!

When it comes to security, we've got some solid measures in place! Our GitHub secret push protection, along with the ability to delegate bypass approvals, really helps us tackle those annoying CFRs that pop up when someone accidentally pushes secrets into a repository. It's a game changer for keeping our code safe! This is a great way to make those SOC 2 walkthroughs go a lot smoother--definitely a win! You can take a look at it here.

Services Leveraged

To really bring everything to life, we tapped into some amazing services.

• Cross-chain solutions development
• Blockchain bridge development

Technical Spec -- What We Install on Day One

CI/CD

• GitHub OIDC to AWS/Azure: We’re all about those short-lived credentials here! We link up repository and environment claims to keep everything secure and efficient. Check it out here.
• How to Cosign and Verify: We also tap into Rekor transparency logs for this process. If you want to dig deeper, you can check out more information here.
• SLSA Provenance Emitters: We’re set up with policies to prevent any deployments that lack L3 attestation. Learn more here.
• SBOM (CycloneDX) & OpenSSF Scorecard Checks: You'll find these checks happening right in the pull requests. If you want to dive deeper, you can check out more details here.

Solidity

• Foundry Unit/Fuzz/Invariant Tests: We make sure to check gas reports whenever there's a merge request, and we’ve got some solid gates in place for tools like Slither, Mythril, and Echidna. Get the scoop here.
• Proxy Governance: We’re all about UUPS and Transparent setups, and we really dive into storage-layout differences. Plus, we’ve got our bases covered with timelock and multi-signature policies. Take a look at the details here. You’ll find everything you need!

ZK

• Noir Tests and Coverage: We're all about keeping things solid when it comes to our Circom constraints. We double-check our Halo2 layouts and regions, stick to a smart k-sizing policy, and use AC4-style algebraic validation to make sure everything’s up to snuff. Read more here.

Secrets and Scanning

• Secret Scanning: Whenever you create a new public repository, we automatically turn on push protection for you. If you're using Advanced Security, this feature can also be applied to your private repos. We've got the delegated bypass workflow up and running as well. If you’re looking for more details, you can find the update here. Take a look!

GTM Metrics and What We Measure Together

DORA Metrics (Reported Weekly)

• Change Lead Time
• Deployment Frequency
• Time to Bounce Back from a Deployment Failure.
• Change Failure Rate
• Deployment Rework Rate

We've discovered that outstanding performance really ties together all four of the classic DORA metrics. And with the 2024 update, we're excited to add rework to the conversation as well! We're all about making real progress that you can actually see, instead of just going after big, flashy numbers that don't tell the whole story. If you want to dive deeper into this, head over to dora.dev. There’s a lot of great info waiting for you!

Security KPIs

• Secrets-in-repo incidents: We're really shooting for zero incidents now that we've rolled out OIDC and push protection.
• Vulnerability Density (Critical/High): Our goal here is to see a consistent drop in these numbers every quarter. We plan to use tools like Slither and Mythril to help us track that progress.
• ZK Constraint Health: We're monitoring the situation for any zero known under-constraint classes before we go into production. We use this cool algebraic checker to keep tabs on everything.

Compliance/Procurement KPIs

• Keeping SOC 2 evidence up to date: It's important for us that all necessary documents and artifacts aren’t older than 30 days.
• Vendor Risk Questionnaire (VRQ) cycle time: We're aiming to speed things up by minimizing back-and-forth. How? By using an evidence set that aligns with the SSDF. For more in-depth info, just hop over to csrc.nist.gov. You'll find everything you need there!

Financial Framing

Hey, so check this out: IBM did some research, and they've found that the average cost of data breaches in the U.S. is pretty eye-opening. is about $10. 22 million. We’re really making strides to minimize both the chances of issues popping up and their potential impact by using tools like OIDC, signed provenance, and gated upgrades. This approach is shaping up to present a solid argument for a risk-adjusted ROI that the CFO would definitely want to take a closer look at. If you're curious to dive deeper into this topic, check it out at bakerdonelson.com. There’s plenty of good info waiting for you!

What You Get from 7Block Labs (and Where to Kick Things Off)

• A reliable delivery system for your blockchain software that's ready to roll out, gaining approval from your InfoSec, GRC, and engineering teams.
• A seamless transition from pilot phase to full-scale operation: Let's kick things off with a 90-day pilot project. We can focus on either a specific Solidity codebase or dive into a particular family of ZK circuits. It's all about digging deep and really getting to know one area.
• Dive into multi-chain setups and seamlessly connect with ERP systems through our awesome blockchain integration services. Take a look at our awesome delivery kits for dApp development, DeFi development, and custom blockchain services! You can find all the details here for dApp development, here for DeFi development, and here for custom blockchain development. We've got you covered!
• Here are some optional extras you might want to think about: Here’s the scoop: we offer independent security audit services that also come with formal verification support. It’s a solid way to ensure your systems are secure and up to par! Check it out!
• Make sure your fundraising and market strategy are on point with our fundraising advisory service. We've got your back!

Closing Note on Pragmatism

• We're all about keeping things real and useful. Our main goal is to zero in on the essentials that really help reduce risks and get things done faster. So, let’s say we’re working with an ERC-4626 vault that uses some pretty basic linear math. In that case, we’d rather go for fuzz testing and check for invariants instead of getting bogged down with all those complex, heavyweight proofs. It just makes more sense for what we’re dealing with! When we’re dealing with a mission-critical circuit, we definitely make sure to include algebraic checks and formal reviews. But we’re careful to only use them where they really help reduce risk.

Enterprise CTA: Schedule Your 90-Day Pilot Strategy Call

Are you ready to jump in? Let's explore a 90-day pilot strategy that's just right for you. Why not set up a call with us today? We’d love to chat!