"Blockchain presents a whole bunch of unknowns" from a security perspective, McAfee APAC chief technology officer Ian Yip told iTWire.
"I don't think you can ever take away the security issues completely."
McAfee recently published a report on the various security risks around blockchain.
Security issues with an application "don't go away just because you've put it on the blockchain", he warned.
For example, smaller blockchains are vulnerable to majority attacks, where an attacker can bring enough processing power to bear that it can essentially overwrite the blockchain. In some cases, this can be achieved with $500 worth of cloud compute resources, Yip said.
"There's only trust as long as you can trust that the blockchain hasn't been overwritten."
Another problem is FOMO – "there's a lot of hype" and people are trying to apply blockchain without really understanding it. When he asks people why they are using blockchain in a project, the answer is often "we're not sure."
"Some people do it just for airtime," Yip observed. "There doesn't seem to be a 'killer app' for blockchain apart from cryptocurrency".
Application development practices have an impact on the security of any system, including those using blockchain.
"The culture of security has improved" to the point that it is a mainstream consideration, but "it's still humans writing code" so security has to be designed in from the outset.
For example, a smart contract is code, and that code can be exploited independently of the underlying blockchain.
And it doesn't matter how secure a blockchain is, it can't protect flawed processes from being exploited.
"Defence in depth [today] is far more complicated than defence in depth five years ago," Yip said. "It takes a lot of knowledge to understand all the moving parts", though there would be even more issues if programming skills and practices hadn't improved.
But attackers "are ever more creative", he warned. In particular, they are able to build on each others' knowledge more easily than the defenders to, because attackers have clearer goals.
"There's always been informal collaboration" within the software industry, but organisations need to work more closely together on common goals, Yip suggested. "There's still room for improvement."