Detailed Plan
As we all know stake pools are being run on servers, clouds, and so on. There is currently a lack of cybersecurity awareness and not many ways to prevent sophisticated attacks like a mass attack campaign against Cardano's ecosystem. CardSec is building an open-source powerful easy to use package with penetration testing tools for security assessment along with security guides designed for servers running the Cardano nodes. We are researching all the common services where nodes are hosted and will be designing the tool accordingly.
We are creating a user-friendly easy-to-install python package for SPOs to test their systems.
CardSec aims to roll out in different phases, with each phase we will be releasing in-depth, easy-to-understand DIY articles on medium and video guides on Youtube.
Note: All the tools and guides will be based on five stages of the NIST Cyber Security framework: Identify, Protect, Detect, Respond, Recover.
We will be requesting funding in batches.
Fund-6 (Funded and development ongoing)
-
Phase-1:
Creating a tool to assess server load(RAM, CPU, disk & network usage) and tracking OS & software updates. Developing vulnerability scanning scripts detecting CVEs (Common Vulnerabilities and Exposures) among stake pool VPS, clouds, etc. -
Phase-2:
Release of stake pool statistics according to hosting provider and updating it on a monthly basis. Ddos 101 prevention guide for different kinds of cloud services, server machines, etc where the block and relay nodes are hosted and looking forward to building a safe stress testing environment for servers running the node.
Fund-7
-
Phase-3:
Creating functionality to notify SPOs whenever there is a new required software update or a found vulnerability in their servers. Creating an option for SPOs to self-report their system health automatically to our portal. We also plan to create a report on Stakepool Statistics regarding the server specs, security measures, usage of cloud providers and hosting services used. -
Phase-4:
Integrating OSINT mapping tools like zoom eye to find out if a particular server is exposed or leaking any sensitive details. Issuing personal security guides and video tutorials for SPOs and delegators both covering attacks such as browser-based, wireless, and physical attack vectors to prevent leakage of sensitive wallet or server information.
Fund-8
-
Phase-5:
Create a portal to display the security strength of SPOs and their self-audit results. Provide a personalized service to SPOs to get an independent audit and support for their Stakepools. Developing a rating system according to the security strength. -
Phase-6:
Create simulations of different kinds of cyber-attacks and publish reports on the portal to keep SPOs aware of new security trends. Also, we will explore new threat vectors using threat intelligence.
This will harden and strengthen Cardano's stake pools, servers running nodes and prepare them to face any unforeseen disruptions. Our goal is to establish a security standard among SPOs so that delegators are aware of pools that are security conscious.
Roadmap
The roadmap is carefully designed in accordance with what we are trying to achieve as researching, building, and testing these scripts takes time.
- Nov 2021 - Jan 2022: Phase 1 and 2 (underway)
- Feb 2022 - April 2022: Phase 3 and 4
- May 2022 onwards: Phase 5 and 6
Metrics/KPIs:
- No. of tool updates or releases
- No. of SPOs using the tool
- No. of tool installations
FAQs:
Q. Is CardSec open-source?
A. Yes, it is fully open-source on our GitHub so everyone can utilize the resources and since it is open-source anyone from the community can contribute to it.
Q. Do anyone require any prior pen-testing skills to use CardSec?
A. No, CardSec is very user-friendly. All you need is basic Linux knowledge.
Budget:
- 2 x part-time developer for 3 months: $16500
- Community outreach, marketing, and technical support: $1500
- DIY articles, guides, and tutorial videos: $2500
