https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/index.html DevSecOps, short for Development, Security, and Operations, is a set of practices that integrates security into the software development lifecycle. It emphasizes collaboration between development, security, and operations teams to ensure that security is a shared responsibility throughout the entire process of software development and deployment. DevSecOps aims to automate security processes and embed security checks into the continuous integration and continuous delivery (CI/CD) pipelines, allowing for faster and more secure software releases. By adopting DevSecOps practices, organizations can identify and address security vulnerabilities early in the development process, reducing the risk of security breaches and ensuring that applications are secure by design. Hugo en-us Fri, 13 Mar 2026 18:50:00 +0100 https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/sui-cli-overview/index.html Sat, 11 Oct 2025 00:00:00 +0000 https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/sui-cli-overview/index.html A single-page reference and diagram for the entire `sui` CLI command tree. https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/sui-cli-cookbook/index.html Thu, 09 Oct 2025 20:50:00 +0100 https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/sui-cli-cookbook/index.html The sui CLI is the primary command-line interface for interacting with Sui nodes, wallets, and developer tools. This cookbook provides quick, copy-paste examples for common tasks. Install Homebrew (macOS / Linux / WSL) brew install sui Chocolatey (Windows) choco install sui Install with suiup suiup is a tool similar to rustup. Install it and then install sui: curl -sSfL https://raw.githubusercontent.com/Mystenlabs/suiup/main/install.sh | sh suiup install sui Alternatively, download releases from the Sui GitHub Releases. https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/graphql-cookbook/index.html Fri, 13 Mar 2026 18:50:00 +0100 https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/graphql-cookbook/index.html You can query the world using a GraphQL client such as Insomnia or Postman, alternatively you can write code to query the GraphQL API. Below are some examples of how to do this in different programming languages. JavaScript Install the graphql-request library: pnpm install graphql-request Then you can use the following code to query for all killmail objects: const { GraphQLClient, gql } = require('graphql-request'); // 1. Ensure the endpoint is correct (Sui often updates these) const client = new GraphQLClient('https://graphql.testnet.sui.io/graphql'); const query = gql` query GetAllKillmailObjects { # 'first' is usually mandatory for pagination objects( first: 20, filter: { type: "0x28b497559d65ab320d9da4613bf2498d5946b2c0ae3597ccfda3072ce127448c::killmail::Killmail" } ) { nodes { address version digest asMoveObject { contents { json # Returns the fields of the Move struct as a JSON object } } } } } `; client.request(query) .then((data) => console.log(JSON.stringify(data, null, 2))) .catch((err) => console.error("Query Error:", err)); Python Install the gql library: https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/useful-urls/index.html Fri, 13 Mar 2026 11:00:00 +0000 https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/useful-urls/index.html Some useful URLs to use for poking around the chain https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/vulns/index.html Wed, 28 Jan 2026 21:35:40 +0000 https://f76f6398.frontier-scetrov-live.pages.dev/devsecops/vulns/index.html This section documents 34 vulnerability classes commonly found in Sui Move smart contracts. Each vulnerability has its own dedicated page with detailed explanations, vulnerable code examples, and recommended mitigations. Overview Sui Move contracts face unique security challenges due to the object-centric model, capability-based access control, and programmable transaction blocks (PTBs). Understanding these vulnerabilities is essential for writing secure smart contracts. Vulnerability Categories Access Control & Authorization (1-9) Object Transfer Misuse - Unintended object transfers breaking invariants Object Freezing Misuse - Malicious freezing of critical objects Numeric / Bitwise Pitfalls - Overflow and shift operation issues Ability Misconfiguration - Improper copy, drop, store, key abilities Access-Control Mistakes - TxContext and sender verification issues Shared Object DoS - Denial of service via shared object contention Improper Object Sharing - Accidental exposure of objects as shared Dynamic Field Misuse - Child-object and dynamic field vulnerabilities Sponsored Transaction Pitfalls - Meta-transaction authority confusion Logic & State Management (10-20) General Move Logic Errors - PTB reordering and mutation issues Capability Leakage - Authority leakage via indirect APIs Phantom Type Confusion - Type parameter injection attacks Unsafe Object ID Usage - Identity assumptions on child objects Dynamic Field Key Collisions - Key collision vulnerabilities Event Design Vulnerabilities - Ambiguous or missing events Unbounded Child Growth - State bloat from unlimited children PTB Ordering Issues - Non-deterministic PTB execution PTB Refund Issues - Inconsistent state from partial execution Ownership Model Confusion - Incorrect ownership transitions Weak Initializers - Reinitialization attacks External Integration & Advanced (21-34) Oracle Validation Failures - Off-chain oracle trust issues Unsafe Option Authority - Authority toggles via Option Clock Time Misuse - Timestamp and time logic vulnerabilities Transfer API Misuse - Object ownership model transitions Unbounded Vector Growth - Gas exhaustion from large vectors Upgrade Boundary Errors - ABI breaks on package upgrades Event State Inconsistency - State/event synchronization Read API Leakage - Information exposure via view functions Unsafe BCS Parsing - Off-chain deserialization issues Unsafe Test Patterns - Test code leaking to production Unvalidated Struct Fields - Missing input validation Inefficient PTB Composition - Gas exhaustion patterns Overuse of Shared Objects - Unnecessary sharing risks Parent Child Authority - Implicit authority assumptions OWASP / MITRE CWE Mapping # Vulnerability Class OWASP Top 10 MITRE CWE 1 Object Transfer Misuse A01 CWE-284, CWE-275 2 Object Freezing Misuse A01 CWE-284, CWE-732 3 Numeric / Bitwise Pitfalls A06 / A03 CWE-681, CWE-190 4 Ability Misconfiguration A01 CWE-284, CWE-266 5 Access-Control Mistakes A01 CWE-285, CWE-639 6 Shared Object DoS A05 / A06 CWE-400, CWE-834 7 Improper Sharing of Objects A01 CWE-284, CWE-277 8 Dynamic Field Misuse A01 / A05 CWE-710, CWE-915 9 Sponsored TX Pitfalls A01 CWE-285, CWE-863 10 Reentrancy-like PTB Issues A01 / A04 CWE-841, CWE-362 11 Accounting / Fee Logic Bugs A04 CWE-682, CWE-840 12 Capability Leakage A01 CWE-284, CWE-668 13 Phantom Type Confusion A04 CWE-693, CWE-704 14 Unsafe object::id() A01 CWE-639, CWE-915 15 Dynamic Field Key Collisions A01 / A05 CWE-653, CWE-706 16 Event Model Vulnerabilities A04 / A09 CWE-223, CWE-778 17 Unbounded Child Growth A06 / A05 CWE-400, CWE-770 18 PTB Order Logic Flaws A04 CWE-841, CWE-662 19 Ownership-Model Confusion A01 CWE-284, CWE-266 20 Weak Initializers A01 CWE-284, CWE-665 21 Oracle Validation Failures A08 CWE-345, CWE-353 22 Unsafe Option Authority A04 CWE-696, CWE-693 23 Clock / Time Misuse A04 CWE-682, CWE-664 24 Misuse of Transfer APIs A01 CWE-284 25 Unbounded Vector Growth A05 CWE-770 26 Upgrade Boundary Errors A04 / A06 CWE-685, CWE-694 27 Event-State Inconsistency A09 CWE-778, CWE-223 28 Read API Leakage A01 CWE-200 (Info Exposure) 29 Unsafe Off-chain Parsing A08 CWE-502, CWE-116 30 Unsafe Test Signer Use A04 CWE-704, CWE-665 31 Unvalidated Struct Fields A04 CWE-20 (Input Validation) 32 Inefficient PTBs A05 / A06 CWE-400 33 Overuse of Shared Objects A01 CWE-284 34 Parent→Child Authority Assumptions A01 CWE-863, CWE-284 Tip Use the menu on the left hand side to find the article you are looking for. You can also use search at the top to search for specific terms.