When it comes to blockchain technology, security isn't just a feature—it's the foundation. At Mysten Labs, the team behind the innovative Sui blockchain and Walrus decentralized storage network, building the most secure blockchain isn't a slogan; it's a daily mission. As the Head of Software and Infrastructure Security, I lead efforts to embed security into every layer of development, from code creation to product deployment.
Our approach is not just technical—it’s strategic, cultural, and deeply integrated into how we build software. In this article, I’ll walk you through the core strategies that define our security philosophy and how we execute them in practice.
Strategy #1: Be the Most Secure Blockchain Company
At Mysten Labs, our primary goal is simple but ambitious: build the most secure blockchain in the world. This isn’t just about preventing hacks—it’s about earning and maintaining user trust. In decentralized ecosystems, where assets are irreversible and trust is decentralized, a single breach can erode confidence across the entire network.
The ultimate measure of our success? How many times have we been hacked in the last 90 days? Zero. And we intend to keep it that way.
But beyond this blunt metric, we focus on continuous improvement. Security isn’t a checkbox; it’s a journey measured by how effectively our strategies reduce risk over time. To achieve this, we ensure that every process—from code review to dependency management—is designed with security as the default.
This overarching mission influences every decision. Whether we're evaluating new tools or designing internal workflows, the question is always: Does this make us more secure without sacrificing efficiency?
👉 Discover how top-tier blockchain projects prioritize security-first development.
Strategy #2: Make Security Usable and Low-Friction for Engineering
We’re an engineering-first company. Our developers are senior, hands-on, and deeply involved in system design. Because of this culture, security isn’t siloed—it’s shared. Engineers naturally act as security advocates, reducing the need for formal “security champion” programs.
But even in such a mature environment, poor security experiences can backfire. If secure practices are cumbersome, engineers will find workarounds—intentionally or not. That’s why we enforce a golden rule: The most secure way to do something must also be the easiest way.
Dogfooding Security Tools and Processes
We don’t just build security tools—we use them. Dogfooding is central to our evaluation process. If our own security team wouldn’t use a tool in production, we won’t impose it on engineers.
For example, we’ve found that test applications don’t reflect real-world complexity. Our monorepo can take 10 hours to build, and a tool that works on a small demo app might fail catastrophically at scale. By writing real code and running real builds, we uncover issues like slow scan times or false positives that block pull requests unnecessarily.
This hands-on approach leads to better tooling—like implementing incremental builds to speed up scans—and ensures that security integrates smoothly into the developer workflow.
Critical AppSec Skills: Security Engineers Who Code
We believe that effective application security (AppSec) requires real software development skills. You don’t need a decade of coding experience, but you must be able to write code and collaborate directly with engineering teams.
Why? Because understanding how code is built helps you understand where it can break. The “aha” moment in vulnerability discovery often comes from seeing how a function is actually used—not just how it’s written. A security engineer who can read, write, and debug code is far more effective than one who only reviews reports.
This blend of security mindset and software fluency is what allows us to build tools and processes that developers actually want to use.
Strategy #3: Improve Security and Engineering Efficiency
Security and efficiency aren’t opposites—they’re allies. One of our key focus areas is reducing technical debt and supply chain risk by minimizing dependencies.
Every third-party library introduces potential vulnerabilities. We regularly audit our codebase to identify libraries used for only one or two functions. When possible, we replace them with minimal internal implementations—removing the dependency entirely.
This strategy does more than shrink the attack surface:
- It reduces supply chain risks (e.g., compromised packages).
- It improves code ownership—we control every line.
- It enhances performance and maintainability.
But to do this at scale, we need tools that provide accurate, contextual data. We can’t waste time chasing false positives or analyzing unused code paths. Our tooling must support reachability analysis, especially for transitive dependencies—where most vulnerabilities hide.
👉 See how advanced code analysis tools are transforming blockchain security.
How AppSec Tools Enable (or Hinder) Our Strategy
Application security tools aren’t just scanners—they’re enablers of our core strategies. When effective, they integrate seamlessly into CI/CD, deliver actionable insights, and help us own our codebase. When ineffective, they become bottlenecks.
What Works: The Impact of Effective AppSec Tools
- Accurate insights: Reliable data on dependencies, including complex trees and actual usage.
- Fast, integrated scans: Low-friction CI/CD integration with minimal build delays.
- Contextual findings: Engineers can prioritize fixes based on reachability—knowing if a vulnerability is actually exploitable.
- Strategic policy enforcement: Uniform rules across the codebase to block malware, secrets, or critical CVEs automatically.
What Doesn’t Work: Lessons from a Failed Tool
We switched vendors because our previous platform became a roadblock:
- High false positive rates: Flagged vulnerabilities in outdated or unused test binaries.
- No production context: Couldn’t determine if vulnerable code was even shipped.
- No reachability for transitive deps: Missed critical context needed for accurate triage.
An effective AppSec tool doesn’t just find problems—it helps us solve them efficiently without disrupting development velocity.
Frequently Asked Questions
Q: What makes Sui blockchain more secure than others?
A: Sui’s security stems from its foundational design—using the Move programming language, which enforces resource ownership and prevents common vulnerabilities like reentrancy attacks. Combined with rigorous internal security practices at Mysten Labs, this creates a robust, secure-by-design ecosystem.
Q: How does dogfooding improve security tooling?
A: By using our own tools in real development scenarios, we experience the same friction engineers face. This leads to faster identification of usability issues and more practical, effective solutions.
Q: Why reduce dependencies instead of just patching them?
A: Patching is reactive. Removing unnecessary dependencies is proactive—it eliminates entire attack vectors and reduces long-term maintenance overhead.
Q: Can security be both strict and developer-friendly?
A: Absolutely. The key is designing security controls that are seamless and intuitive. When secure practices are also the easiest, adoption becomes natural.
Q: What role does automation play in your security strategy?
A: Automation is critical. We use it for dependency scanning, policy enforcement, and vulnerability blocking within CI/CD pipelines—ensuring security keeps pace with development speed.
Q: Is full code ownership realistic at scale?
A: While not always possible, we aim to own critical components. For non-critical functions, we apply strict vetting—but owning core logic gives us maximum control and security.
👉 Explore how leading blockchain innovators balance security and speed.
Final Thoughts
Building the most secure blockchain requires more than cryptography and audits—it demands a culture where security is intuitive, efficient, and embedded in every step of development. At Mysten Labs, we achieve this through three core strategies: relentless focus on security excellence, frictionless developer experiences, and continuous improvement of both code and process.
As blockchain adoption grows, so do the stakes. The future belongs to platforms that don’t just promise security—but prove it, every day.
Core Keywords: blockchain security, secure blockchain development, application security (AppSec), Sui blockchain, code ownership, dependency management, Move programming language