Detailed Plan
As we all know stake pools are being run on servers, clouds, etc. There is currently a lack of cybersecurity awareness and not many ways to prevent sophisticated attacks like a mass attack campaign against Cardano’s ecosystem. CardSec is aiming to build open-source powerful easy to use package with penetration testing tools for security assessment and security guides along with it solely for servers running the Cardano nodes. We will be researching all the common services where nodes are hosted and will be designing the tool accordingly.
We will create a user-friendly easy-to-install python package for SPOs to test their systems.
CardSec aims to roll out in different phases, with each phase we will be releasing in-depth, easy-to-understand DIY articles on medium and video guides on Youtube.
Note: All the tools and guides will be based on five stages of the NIST Cyber Security framework: Identify, Protect, Detect, Respond, Recover.
We will be requesting funding in batches.
(Fund-6)
Phase-1: Creating a tool to assess server load(RAM, CPU, disk & network usage) and tracking OS & software updates. Developing vulnerability scanning scripts detecting CVEs (Common Vulnerabilities and Exposures) among stake pool VPS, clouds, etc.
Phase-2: Ddos 101 prevention guide for different kinds of cloud services, server machines, etc where the block and relay nodes are hosted and looking forward to building a safe stress testing environment for servers running the node.
(Fund-7 onward)
Phase-3: By now all the important security endpoints must have been strengthened. So, now we will issue response guides for what to do in the situation of any attack to prevent any large damage.
Phase-4: Integrating OSINT mapping tools like zoom eye to find out if a particular server is exposed or leaking any sensitive details. Issuing personal security guides and video tutorials for SPOs and delegators both covering attacks such as browser-based, wireless, and physical attack vectors to prevent leakage of sensitive wallet or server information.
(Fund-8 onward)
Phase-5: Integrating all the scripts and guides into a single CLI open-source tool on GitHub and developing a notification system for stake pool owners to upgrade their servers from time to time as new security updates come.
Phase-6: Developing a GUI version of the tool.
This will harden and strengthen all of Cardano’s stake pools, node running servers and prepare them to face any unforeseen disruptions. Our goal is to establish a security standard among SPOs and delegators so most of the delegators are attracted only to the pools which are security conscious.
We have already included what success will look like in the phases mentioned above.
Roadmap
The roadmap is carefully designed in accordance with what we are trying to achieve as researching, building, and testing these scripts takes time.
- Fourth Quarter, 2021: Phase 1 (Month 1-3)
- First Quarter, 2022: Phase 2 and 3 (Month 3-6)
- Second Quarter, 2022: Phase 4 and 5 (Month 6-9)
- Third Quarter, 2022: Phase 6 (Month 9-12)
Experience
Developers of deqree.in
- Adnan: In-depth understanding of attack vectors in cyberspace. Certified Intern from CyberCell HQ, Gurugram (India) in fields such as Vulnerability Assessment and Penetration Testing, OSINT, MITRE ATT&CK model, and Forensics.
- Advait: Knowledge of Cardano Infrastructure and tools. Well-versed with Bash and Python scripting, and creating Linux system services.
FAQs
Q. Will CardSec be open source and decentralize?
A. Yes, we will be making it fully open source after each phase so everyone can utilize the resources and since it is open-source anyone from the community can contribute to it making it fully decentralized.
Q. Will anyone require any prior pen-testing skills to use CardSec?
A. No, CardSec will be very user-friendly. All you need is basic Linux knowledge until we release our Phase-6.
Q. Why are we the right persons?
A. We run a stake pool ourselves, and developing another Cardano Project (deqree.in) and both of us are Plutus pioneers so we possess a deep understanding of the Cardano ecosystem.
Future Goals
Integrating the tool with Cardano’s blockchain with a reward, security rating, and a notification system for SPOs with the help of smart contracts for running these assessment tests. Setting up threat intel monitoring to identify malicious actors.
Expenses
DIY articles, guides, and tutorial videos: $2500
Research and Awareness campaign: $2500
Human Resources: $8000
Development, Testing, and Debugging: $3500