Compliance with VARA (Virtual Assets Regulatory Authority) is now an essential step for companies known as Virtual Asset Service Providers (VASPs) operating in Dubai within the blockchain and cryptocurrency space. Meeting VARA’s requirements can determine whether or not an organization receives or maintains its license, underscoring its importance as it directly impacts business operations, revenue, and trust.
Does VARA require vulnerability scanning or penetration testing to ensure adherence to its Technology and Information Rulebook? Yes, they are mandatory. In this article, we will explore these requirements in the context of VARA compliance and guide your organization in determining how these assessments are essential to regulatory compliance.
What is VARA, and why compliance matters?
Dubai’s Virtual Assets Regulatory Authority (VARA) oversees the framework, which dictates that Virtual Asset Service Providers (VASPs) must establish and maintain robust policies and practices for securing systems, safeguarding data, and protecting virtual assets. The framework is designed to regulate virtual assets providers and enhance the security, transparency, and accountability of VASPs operating in the booming Dubai International Financial Centre (DIFC) and across the emirate itself.
A brief overview of VARA’s regulatory framework
The VARA regulatory framework mandates compliance with its comprehensive guidelines, including the Technology and Information Rulebook. This framework governs key aspects such as cybersecurity, data protection, cryptographic key management, and transaction monitoring. VARA compliance ensures that Dubai VASPs implement effective governance structures, adhere to industry best practices, and manage risks associated with blockchain and cryptocurrency activities.
A short explanation of VARA’s Technology and Information Rulebook
The Technology and Information Rulebook is a cornerstone of VARA’s regulatory requirements. It outlines specific obligations for VASPs to:
- Implement robust cybersecurity measures to protect systems and data.
- Conduct regular independent penetration testing and vulnerability assessments.
- Maintain a Business Continuity and Disaster Recovery (BCDR) plan to minimize disruptions during incidents.
- Appoint key personnel, such as a Chief Information Security Officer (CISO), to oversee compliance.
- Ensure the secure generation, storage, and management of cryptographic keys and wallets.
These measures aim to foster a secure and resilient ecosystem for virtual assets, minimizing the risks of cyberattacks and data breaches.
What are penetration testing and vulnerability assessments?
Penetration testing and vulnerability scanning are two critical elements mandated by VARA to assess the security of a VASP’s systems, verify an organization’s overall security posture, and test controls designed to protect against cyberattacks.
Penetration Testing
Also called “pentesting,” it involves simulated attacks using tools, tactics, and techniques similar to those employed by malicious adversaries. This type of security testing aims to identify vulnerabilities and exploit weaknesses to assess their potential impact. Examples of impact demonstration include gaining access to confidential assets such as client data or strategic, board-level sensitive information.
Vulnerability Scanning
Conversely, vulnerability scanning is an automated process designed to identify known vulnerabilities within a system. This method provides an overview of a company’s security posture and highlights areas requiring immediate attention.
Comparing the two
While both pentesting and vulnerability scanning play a role in enhancing security, they have distinct strengths:
- Pentesting: More likely to uncover unknown vulnerabilities but is time-intensive and costly.
- Vulnerability Scanning: Efficient and cost-effective but may not identify vulnerabilities that do not follow known patterns.
By combining these two methods, VASPs can comprehensively understand their security risks and implement effective measures to protect their systems.
VARA’s specific penetration testing needs
VARA’s penetration testing requirements are integral to maintaining a strong risk management framework for Virtual Asset Service Providers (VASPs). By mandating annual risk assessments, comprehensive vulnerability assessments, and independent audits, VARA ensures that VASPs uphold the highest security standards and comply with applicable laws. These measures safeguard the integrity of blockchain systems and smart contracts and reinforce trust in the broader virtual asset ecosystem.
Annual pentesting requirements for VASPs
Under section E. Testing and Audit of VARA’s Technology and Information Rulebook, Virtual Asset Service Providers (VASPs) are required to conduct pentests at least annually or prior to the introduction of new systems, applications or products. By performing security tests regularly, VASPs can identify and mitigate vulnerabilities in their blockchain infrastructure, virtual asset wallets, and other critical systems.
According to the rulebook, “VASPs must engage a qualified and independent third-party auditor to conduct vulnerability assessments and penetration testing [including, to the extent relevant to the VASP’s business and VA Activities, comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts] at least on an annual basis and prior to the introduction of any new systems, applications and products. VASPs must provide the results of any such assessments and tests to VARA upon VARA’s request.“
Mandatory third-party audits by qualified and independent auditors
VARA mandates that qualified and independent third-party auditors conduct all penetration tests and vulnerability assessments. These auditors bring an unbiased perspective and possess the necessary expertise to conduct thorough evaluations. The results of these audits must be documented and made available to VARA upon request, ensuring transparency and compliance obligations.
Pre-deployment testing for new systems, applications, or products
Before deploying new systems, applications, or products, VASPs must conduct penetration tests to assess security and identify potential vulnerabilities. Pre-deployment testing helps organizations proactively address security issues and ensures that new technologies meet VARA’s rigorous standards before being introduced into production environments. This requirement minimizes the risk of exposing users and assets to potential threats.
Comprehensive audits of smart contracts
VARA emphasizes the importance of auditing smart contracts. These audits assess the enforceability, effectiveness, and security of the contracts, ensuring they function as intended and do not harbor exploitable vulnerabilities. Comprehensive evaluations of smart contracts help maintain trust in decentralized systems and align with VARA’s goal of fostering a secure virtual asset ecosystem.
My organization needs a pentest as part of our VARA compliance. What else do I need to know?
Below are key points to consider when conducting pentesting for VARA compliance purposes:
Defining the scope of a VARA penetration test
Defining the scope of a VARA penetration test involves establishing the boundaries of what will be tested during the engagement. Typically, this includes a list of assets the pentest team is authorized to evaluate while excluding those off-limits.
According to the rulebook, “VASPs should maintain effective internal functions and measures for continuous monitoring of their operations and processes. In particular, on a regular basis and on request by VARA, VASPs must perform security testing on both infrastructure and applications; and internal system and external system vulnerability audits“.
From our experience, organizations working toward VARA compliance usually consider the following elements when determining the scope of their penetration test assessments:
- Security assessments of mobile applications, wallets, or exchanges, if applicable.
- The company’s main product is blockchain-based platforms, applications, smart contracts or decentralized applications (dApps).
- Administrative panels or internal tools that support blockchain or cryptocurrency operations.
- APIs (such as REST, GraphQL) and microservices that facilitate blockchain interactions.
- Public-facing server infrastructure, often hosted in cloud environments.
- The company’s internal network, critical servers, and infrastructure (which may include smart contract deployment environments, Kubernetes clusters, etc.).
Penetration tests are often conducted in a staging environment to prevent potential disruptions in production. As long as the staging environment closely mirrors the production setup, this approach is generally acceptable and widely used. However, consulting with VARA or your auditor beforehand is advisable to ensure that the scope meets their expectations.
The average duration of a VARA compliance penetration test
The typical penetration test for VARA compliance has a timeframe that varies depending on the project’s scope, ranging from 5 to 30 person days. Cybersecurity assessments for a single, smart contract or blockchain node may take a few days, while large cryptocurrency exchanges or intricate blockchain ecosystems might require several weeks. Most penetration tests are completed in one to three weeks, though larger scopes may take longer.
Beware of providers offering “express” penetration tests lasting one to three days, as these assessments likely rely on automated scanners or basic checklists without sufficient attention to detail. Consequently, such tests may miss subtle vulnerabilities, especially in the business logic or smart contract functionality.
In our experience, a penetration test for any blockchain-related project that takes less than 40 hours to complete for a small to medium-sized scope may not provide the necessary level of scrutiny.
The estimated cost of a penetration test for VARA compliance
In our experience, under the context of security testing for blockchain companies, the estimated price for a penetration test conducted by a credible and accredited cybersecurity firm may vary between $5,000 and $25,000, depending on the scope and complexity. Blockchain projects usually have a higher degree of complexity, and a lot is at stake, so one can expect pricing at the mid to higher end of the range.
The price may be higher for more comprehensive security audits or lower for smaller scopes. Reputable penetration test providers often charge around $200 to $300 per hour.
We’ve written a detailed article on penetration testing pricing containing much more information on the topic.
How to engage a qualified provider for pentesting and vulnerability assessments
Engaging a qualified provider for VARA pentesting requires a structured approach to ensure effectiveness and compliance with the framework. Here’s how VASPs can do it:
1. Define the scope and objectives
- Identify critical assets, systems, and data requiring testing.
- Determine if the assessment covers external, internal, web applications, APIs, or cloud environments.
- Align objectives with compliance requirements, such as the Risk Management Rulebook and personal data protection policies.
2. Evaluate provider qualifications
- Choose providers with proven expertise in the security of digital assets.
- Verify industry certifications (e.g., OSCP, CREST, etc).
- Ensure familiarity with the regulatory framework and cybersecurity best practices.
3. Testing methodology
- The provider should follow industry-standard frameworks like OWASP, NIST, etc.
- Verify if their approach includes automated scans, manual exploitation, and social engineering tests.
4. Check compliance and reporting standards
- Ensure the provider delivers a detailed report with risk classification, impact analysis, and remediation steps.
- Reports should align with regulatory requirements and assist in fulfilling compliance obligations.
5. Review engagement terms and other measures
- Establish NDAs and legal agreements to protect sensitive data.
- Verify post-assessment support for remediation and retesting.
- Ensure minimal disruption to operations during testing.
Consequences of non-compliance for VASPs
Non-compliance with VARA’s regulations can have severe consequences for VASPs, including:
- Regulatory penalties: Significant fines or suspension of licenses.
- Operational disruptions: Increased scrutiny or restrictions on business operations.
- Reputational damage: Loss of client trust and business opportunities.
- Legal liability: Potential legal actions stemming from data breaches or cybersecurity incidents.
For a VASP to demonstrate compliance with VARA’s framework, it is not just a regulatory obligation but also a business imperative for building trust, ensuring operational resilience, and maintaining a competitive edge in the blockchain and cryptocurrency space.
How can VASPs benefit from an experienced partner?
Virtual Asset Service Providers operating under the UAE’s VARA framework can greatly benefit from working with an experienced provider to ensure compliance with regulatory requirements. A knowledgeable partner can help VASPs implement personal data protection measures that align with VARA’s stringent guidelines, safeguarding sensitive customer information.
An expert provider can also help navigate the Risk Management Rulebook and ensure robust access controls prevent unauthorized access to critical systems and data. Regular internal audits by experienced professionals further strengthen compliance efforts, identifying gaps and mitigating risks before they become regulatory issues.
Here at Blaze, we’ve worked with some of the world’s most renowned companies in the blockchain space, such as Bitcoin.com, Bitstamp, CoinLoan, Paxful, and many others.
Closing thoughts
Penetration testing is a cornerstone of VARA compliance, helping organizations identify and mitigate vulnerabilities in blockchain and cryptocurrency systems. By defining an appropriate scope, allocating sufficient time for thorough testing, and partnering with experienced cybersecurity professionals, your organization can ensure compliance with VARA’s rigorous standards and strengthen its overall security posture.
