Conversation with Mysten Labs: Sui Stands at the Forefront of Its Time, Committed to Building a Security-First L1
TechFlow Selected TechFlow Selected
Conversation with Mysten Labs: Sui Stands at the Forefront of Its Time, Committed to Building a Security-First L1
The Sui community has a responsibility to protect the interests of the entire ecosystem, including the network and developers building applications on the Sui platform.
Navigating Web3 tides with focused insightsRecently, we sat down with Christian Thompson, Deputy Chief Information Security Officer at Mysten Labs, to discuss his insights on the interconnected nature of security practices and his observations and evaluations of security practices among Sui developers.
Below is the full interview:
What is the role of a CISO in technology companies?
The responsibilities of a Chief Information Security Officer (CISO) are broad and play a critical role in securing our digital environment. One key task is gathering threat intelligence, which involves understanding the mindset of potential attackers: who they are, why they might target us, when they may strike, what motivates them, and how skilled they are in their attack methods.
By having a clear picture of potential adversaries and understanding their capabilities, we can take proactive steps to protect our systems. Think of it like a puzzle game—if we know who the players are and how they operate, we can more effectively piece things together. For example, we can combine their known tactics with areas in our system that may be most vulnerable. It’s like building a defense system that immediately triggers an alert whenever someone attempts to breach our digital perimeter.
Just as a home alarm alerts us when someone tries to break in, this defensive setup provides real-time notifications whenever suspicious activity occurs. This means we can respond quickly to potential threats and take appropriate measures to mitigate risks.
These focus areas span a wide range, including cybersecurity, data management, risk across various domains, architecture, compliance, governance, resilience, and reporting.
Part of the CISO's role also extends to protecting internal team members. We spend considerable effort understanding the risk exposure of our team members. These risks can shift significantly, especially when team members travel to regions with violence or other safety concerns.
How does security differ when considering an L1 blockchain like Sui?
To create a cohesive defense strategy for a blockchain like Sui, multiple functions and services must be integrated. This strategy must focus on areas considered weak—but it goes further than that. The Sui community has a responsibility to protect the interests of the entire ecosystem, including the network and the developers building applications on the Sui platform. Achieving excellence in security is costly and challenging, especially for startups.
To address this, the Sui Foundation is developing a product that extends security measures to the broader ecosystem. In effect, the Sui Foundation will provide smaller companies with security tools and services typically available only to larger organizations. This enables them to build in a more secure environment, boosting confidence among end users and regulators alike. Our goal is to ensure that building on Sui is not only efficient but also secure.
What tools and services are used in maintaining blockchain security?
The diagram below illustrates the types of services and tools I believe a proficient security team currently uses. These elements represent the diverse set of services essential for building a robust security framework. It's important to recognize that true effectiveness lies not just in the individual existence of each service, but in the intricate interplay between them. This includes understanding their interrelationships, implementation sequence, and the synergies they create.
For each of these described services (listed in the chart), the Sui network leverages specific tools or relies on service providers for deployment. The Sui Foundation plans to package these components and offer them to any enterprise seeking to adopt them, maximizing their practical utility. Thus, the segmented areas in the diagram symbolize a well-structured repository awaiting exploration—available for entities aiming to strengthen their security posture.
There are many elements in this diagram. Are they equal and tightly connected? Or is there a prioritization mechanism?
Yes, there is prioritization—the structure behind this diagram is intentional. Like starting from scratch and identifying what needs immediate attention, you can think of it as building foundational security blocks, or a basic security toolkit. This toolkit might include what we call “brand defense,” meaning vigilance against anything that could harm the company’s reputation. It involves intelligence gathering to monitor and mitigate any negative brand impact. Additionally, “integrity” is crucial—meaning the toolkit must have the ability to detect and address issues that could damage brand image.
Now, the toolkit isn’t one-size-fits-all. Different organizations may require customized toolkits tailored to their unique purposes. For instance, a company closely tied to coding might prioritize developing “vulnerability detection capabilities.” This involves closely examining systems for potential weaknesses and conducting tasks like “fuzz testing” to stress-test their code. On the other hand, consider a decentralized finance (DeFi) company versus a gaming company. A DeFi company might lean toward toolkits focused on regulatory risk, governance, and compliance. In contrast, a gaming company might prioritize operations, intelligence, and specific layers of security engineering.
Essentially, this diagram captures the idea of adapting security strategies to the different cultures and priorities of various types of companies.
Do companies typically start by thinking, “These are all my risks—how do I mitigate them?” Or are there other perspectives?
Yes, that’s often where they start.
The toolkit seems to be a key way to maintain the security of the entire blockchain ecosystem. Given that public blockchains are inherently decentralized and permissionless, how is network security maintained technically when anyone can access and participate?
Yes, the concept of the toolkit plays a pivotal role in maintaining the security of the entire ecosystem. The beauty of public blockchains lies in their decentralized and permissionless nature, enabling many people to scrutinize every aspect. Therefore, building necessary tools and promoting education are both crucial.
Imagine this: individuals within the ecosystem need not only to understand what’s happening but also to know what tools are available and how to use them effectively. Importantly, many factors affecting the ecosystem go beyond the blockchain itself. Discussions on social media, fear, uncertainty, and doubt (FUD), and potential fraudulent activities can all impact the ecosystem. This underscores the importance of comprehensive awareness.
A third key factor is information exchange within the community. When individuals can communicate and collaborate, they strengthen the collective knowledge base. So, it’s a three-pronged approach: education fosters knowledge acquisition, information sharing promotes industry insights, and tools enable actionable responses. Together, this empowers the community to not only understand but actively influence various behaviors.
How is communication currently taking place within the Sui ecosystem?
Communication within the Sui ecosystem takes many forms. Recent validator node summits have provided individuals with valuable platforms to connect and exchange insights. Builder Houses events also offer such opportunities. Additionally, I understand that the Sui Foundation plans to release a series of articles focusing on Sui security in the near future.
Day-to-day communication channels include platforms like Discord and Telegram, facilitating interaction among validators, node operators, and other stakeholders. These forums not only increase awareness around collaboration but continue to grow over time, creating an evolving platform for knowledge discussion and sharing.
Sui Move is inherently safer by design compared to other blockchain programming languages. How does this affect Sui’s approach to security?
It’s undeniable that Move is safer than some other programming languages. I’d add that many of the original team members involved in Sui’s development had strong security backgrounds. So, it’s not just about the language—it’s also about how the various components of Sui were built, making it more resilient and harder to exploit. Of course, this doesn’t mean there aren’t equally talented individuals in the security space. With sufficient incentive, they will work hard to find vulnerabilities. Therefore, experts need to understand who, when, where, why, and how such exploits could occur. That’s where our focus lies.
How do security incidents elsewhere in Web3 impact the work being done on Sui?
Unfortunately, security incidents in Web3 always attract widespread attention. However, they also serve as valuable learning experiences. They prompt security professionals to deeply analyze the mechanics of the breach—how, what, when, who, and why. These insights provide additional understanding for the broader field.
The Sui Foundation team has invested significant security resources into understanding the identity and capabilities of these threat actors, focusing particularly on uncovering their preferred targets and motivations.
These incidents offer two distinct lessons. First, we empathize with those affected, as these events impact real people. Second, they present an opportunity to strengthen Sui’s strategy. These lessons allow Sui to optimize and reinforce its position against similar risks.
What is your outlook on security in Web3’s future?
We stand at the threshold of a new era marked by the emergence of Web3 and the extraordinary technologies it brings—artificial intelligence, machine learning, augmented reality, virtual reality, and more. What excites me is the incredible potential embedded within. We’re on the verge of experiencing highly immersive interfaces and accessing information at unprecedented speeds and in novel ways.
This transformation extends equally to the field of security. Imagine having an AI partner capable of identifying potential threats before they happen—even scenarios of AI versus AI. Undoubtedly, this is where we’re headed, and I look forward to seeing Sui at the forefront of these advanced technologies.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Sui Network
