cardaSCAN.io - A community-funded stake pool vulnerability scanning service

[GENERAL] Name and surname of main applicant

Thorsten Pottebaum (@adanamics)

[GENERAL] Email address of main applicant

cardascan@proton.me

Additional applicants

Kyle Wood (@woodkm) aka Holymacaroni

Andrew DeVito (@samwukong)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

12

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

Yes

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.” .

We will be using open-source vulnerability scanning software, running on cloud environments and cloud-based ticketing/messaging systems.

[GENERAL] Will your project’s output/s be fully open source?

No

[GENERAL] If NO, please describe which outputs are not going to be open source. If YES, please write “Project will be fully open source.”

We are planning to inform the community about SPOs, who are running a vulnerable environment and have not addressed the vulnerability after a grace period to patch/fix the problem. (we will be working proactively with SPOs to make their environment safe during the grace period, but think that the community should be aware of vulnerable operations if the SPO does not respond).

The information will be made available on our website: cardascan.io

Maybe add in a defined grace period. Either 90 days (which is a big grace period, but falls in line with our milestones, which I believe would be every quarter (3 months), or the grace period could align with the end of the proposal duration.

[METADATA] Category of proposal

SPOs

[IMPACT] Please describe your proposed solution.

Cyber-resilience is an increasingly important factor in the selection of digital services provided through a number of different methods (e.g. cloud or blockchain). Whilst resistance is at the core of the consensus model of Cardano, this is not protecting the underpinning infrastructure of the blockchain from technical vulnerabilities. Blockchains, which can demonstrate that they are taking also the technical resistance of the blockchain seriously, which have an advantage when it comes to the selection of solutions by commercial and industrial customers.

Problem

Currently, there is no existing service provided to the SPO community, which is scanning the technical infrastructure of the blockchain relays and block-producing nodes in a systematic manner. Cybersecurity is the wholesome responsibility of the SPO, without any professional help provided.

Solution

We will implement an independent vulnerability scanning and detection service (cardascan.io) for all SPOs. This service will be offering two different levels of assurance:

1. Through frequent black-box scans of the infrastructure used by SPO, we will identify the current protection state of the relay and block-producing infrastructure and inform the relevant SPO about the existing vulnerabilities and areas of improvement (best practices).
2. To increase resilience, we will offer a subscription-based advanced deep vulnerability scanning service accompanied by cybersecurity consulting. This service is not part of this proposal.

To create transparency, we will (after a grace period) inform the community via our website about SPO environments, which show vulnerabilities and where SPOs are not addressing these findings. During the grace period, we will work to our best ability with the SPO to address the identified vulnerabilities. The technical patching will remain the responsibility of the relevant SPO.

The value of this solution can be seen as follows:

Efficiency - providing a scanning solution centrally from within the community is a lot more resource-efficient, than a solution, which has to be performed by the SPO. The identification of issues at scale is just possible through a central solution.

Cost - providing a vulnerability scanning solution for just a number of servers is not cost-sensitive and requires an unproportionate effort. Scale effects make the service very cost-efficient once implemented.

Transparency - whilst SPO would be able to perform vulnerability scans themselves, it's natural that they would not make any detected vulnerabilities transparent, nor could it be assured that the relevant server would be patched. Through the disclosure after a grace period, we will keep the delegators informed about “underperforming” SPOs.

[IMPACT] How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

cardascan.io is bringing for the first time a transparent and independent vulnerability scanning solution to Cardano. The community will get an inside into the overall performance of the underpinning infrastructure of the blockchain and has the ability to identify SPOs, which are not performing to the general expectation of the delegator community.

Furthermore, will this new level of transparency create trust and assurance for business and industrial users of Cardano and thereby differentiate Cardano from other blockchains and those monitoring activities.

What is cardascan.io benefit?

cardascan.io brings a number of benefits, like:

• Assurance of blockchain users - the provided transparency through statistics and disclosure of ‘underperforming’ SPO create a new level of assurance to delegators
• Meeting expectations of commercial and industrial users – it is common practice to require vulnerability scanning of the infrastructure of a service provider in the commercial and/or industrial environment. 
• Pathway to certifications – infrastructure providers of cloud environments commonly provide assurance through international certifications (e.g. ISO 27001 or SOC II) for the cybersecurity of their environments. While this is not common practice for distributed blockchains yet, providing assurance through vulnerability management is a first step in this direction.

[IMPACT] How do you intend to measure the success of your project?

The success of the project can be easily measured - through statistics we will prove at least the following:

Quantitative measures:

• Reduction of the overall number of vulnerabilities detected in the Cardano infrastructure
• Number of detected vulnerabilities mitigated (measured through repeated scans of the infrastructure)
• Number of patch vulnerabilities within 30 days
• Number of SPO, who a proactively engaging in the remediation of vulnerabilities.

Qualitative measures:

• Reduction of the number of vulnerabilities with a high CVSS rating
• Feedback from the SPO community
• Feedback from the delegator community

[IMPACT] Please describe your plans to share the outputs and results of your project?

Due to the nature of the topic, we will not share any results of the vulnerability scanning itself, but the following output will be shared, e.g. on Twitter Spaces or similar:

• Statistics about e.g. :
• the number of involved SPO (incl. disclosure of scanned SPOs/coverage of total SPO identified estate)
• the scanning performance (number of relays/nodes scanned within a specific period)
• the number of detected vulnerabilities (details about type and counts)
• the number of SPOs, who did not patch within 30 days
• the number of SPOs, who did not patch within the grace period

• Disclosure of:
• SPOs/stake pools, which were not patched during the grace period
• Number of vulnerabilities according to CVSS rating

To protect the individual SPO, we will NOT disclose the actual vulnerability. Furthermore, a discussion, about how long the grace period should be is ongoing.

[CAPABILITY/ FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability?

cardascan.io is a team of three cybersecurity veterans with a long background in the field. Please see the details below:

Thorsten Pottebaum (adanamics) is a seasoned Enterprise Architect with experience in the manufacturing industry currently working as the cybersecurity audit program manager for Siemens Healthineers, one of the world’s leading MedTech companies. He has a post-graduate degree in Computer Systems Security from the University of South Wales (UK) and holds several ISO lead auditor certifications (ISO27001, ISO27701 and ISO22301). He has been actively engaged in the Project Catalyst community since Fund 7 in different roles.

https://www.linkedin.com/in/thorstenpottebaum

Kyle Wood (holymacaroni) is a veteran cybersecurity expert with more than 13 years of experience working with hundreds of different environments, as well as forensics. Plus 13 years of work experience in the military and large commercial environments. He has experience in PenTesting, vulnerability assessing, architecting and designing environments, incident response, and much more. He is currently running a successful Fund9 Project, EpochSec, providing the community with Cyber Security support, as well as managing a team of cybersecurity experts as a technical practice manager at Trellix (formerly McAfee). He has been in the Cardano community since 2019.

https://www.linkedin.com/in/kyle-wood-a6040560

https://epochsec.io

Andrew DeVito (notSamWukong) is a veteran of regulatory compliance and operations with over 21 years in between the military and private sectors, with over a decade of senior management positions. He holds a B.S. in Cyber Security with a concentration in Wireless and Mobile Security. He specializes in defensive security strategies, Governance, Risk Management, and Compliance (GRC). An active participant in professional communities (OWASP, IEEE, IAPP), his focus now lies in the intersection of cyber security and business development. He has been involved in the Cardano community since 2020.

https://www.linkedin.com/in/andrew-devito

Thorsten and Kyle have been proposers/co-proposers in funds before and either closed their proposals successfully or demonstrated that the deliverables of their proposals are on track and delivered on time.

[CAPABILITY/ FEASIBILITY] What are the main goals for the project and how will you validate if your approach is feasible?

The main goal of cardascan.io is to improve the cybersecurity resilience of the Cardano blockchain and to increase transparency and trust in the infrastructure and services provide by the SPO community. 

Through this independent service, we also will reduce the cost per scan compared to the efforts, which would have to be undertaken by the SPO themselves.

We plan to validate our approach through a ramp-up phase with selected SPOs and will adopt the provisioning of scanning infrastructure based on the number of onboarded SPOs (relays/nodes).

The scanning pattern will be updated and optimized on an ongoing basis through the analysis of scanning results and the interaction with the SPO community. Sharing of best practices through open sessions is planned.

[CAPABILITY/ FEASIBILITY] Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

These are the main activities per Milestones:

Milestone 1: Project setup, ramp-up backend & administration | Month 1

• Providing Proof of Milestone
• Providing Statement of Milestone
• Setup of legal structure, bank account
• Ordering of subscriptions (GitHub, CRM, ticketing system, etc.)
• First engagement with SPO community (Twitter, Twitter spaces)
• Setup of a cloud environment for
• Scanning services (test environment)
• Setup of website/video production/YouTube
• Setup of CRM & ticketing system
• Collection of current nodes/relay estate
• Collection of SPO contacts
• Media plan & copywriting

Milestone 3: Configuration & Test Environment | Month 2

• Installation & test scanning environment
• Legal agreement for onboarding
• Setup & configuration of secure communication channel SPO
• Onboarding SPOs (pilot)
• Setup reporting environment
• Setup automation
• scanning
• report distribution
• Automated communication of reports

Milestone 4: Onboarding & Scanning test run | Month 3

• Test of automation
• Scanning pilot with selected SPOs
• Generation statistic & web-interface statistic
• Onboarding further SPO

Milestone 5 - 12: Ongoing scanning | Month 4 - 12

• Scanning automation & optimization 
• Support to SPO community (vulnerability handling / best practice sharing)
• Generation statistics (enhancements)
• Setup of Hall of Shame (disclosure of inactive SPOs)
• Final Milestone: Project Closeout

[CAPABILITY/ FEASIBILITY] Please describe the deliverables, outputs and intended outcomes of each milestone.

Milestone 1: Project setup & administration | Month 1

• Deliverable(s):
• [1] Project setup & PoL/SoM
• [2] Technical server backend (cloud-based)
• [3] Installation & initial configuration scanning environment
• [4] Website/Twitter/YouTube channel registered & initial setup
• [5] Setup of CRM & ticketing system
• [6] Administrative: Subscriptions & licenses
• Acceptance Criteria:
• [2] - [5] Environments setup & configured
• [6] Subscriptions & licenses in place
• Evidence:
• [1] Collected by IOG
• [2] - [6] Short video for deliverables 

Milestone 2: Configuration & Test Environment | Month 2

• Deliverable(s): 
• [1] Installation & test scanning environment
• [2] Onboarding SPOs (agreement to scan)
• [3] Secure communication to SPO installed/configured
• Acceptance Criteria:
• [1] Scanning environment is functional/test scans performed
• [2] SPOs for M4 (20 SPO) are onboarded
• [3] Communication channels to SPOs established
• Evidence:
• [1] Short video of scanning run/test results
• [2] Scanned agreements (file share)
• [3] Short video of the communication channel(s)

Milestone 3: Onboarding & Scanning test run | Month 3

• Deliverable(s):
• [1] Secure report sharing installed, configured & tested
• [2] Test scans with 20 SPOs
• [3] Statistics of test run
• [4] Onboarding further SPOs
• Acceptance Criteria:
• [1] Report sharing environment operational
• [2] 2 scanning circles completed
• [3] Statistics available on the website
• [4] Further 50 SPOs (agreement to scan)
• Evidence:
• [1] - [2] Short video
• [3] Website
• [4] Scanned agreements (file share)

Milestone 4 - 12: Ongoing scanning | Month 4 - 12

• Deliverable(s):
• [1] Scanning 
• [2] Reports to SPOs
• [3] Statistics
• [4] from M7 onwards: Disclosure reports
• Acceptance Criteria:
• [1] all registered SPO scanned within 30 days
• [2] Report (blacked out]
• [3] Monthly updated statistics available
• [4] Monthly disclosure report available
• Evidence:
• [1] scanning log files (if possible)
• [2] 5 sample reports [blacked out]
• [3] Statistics (link/website)
• [4] Hall of Shame (link/website)

Final Milestone: Close Out (additionally Month 12)

• Deliverable(s):
• [1] Closing video/report
• Acceptance Criteria:
• [1] Video/report submitted
• Evidence: 
• [1] Video & report

[RESOURCES & VALUE FOR MONEY] Please provide a detailed budget breakdown of the proposed work and resources.

Through the long-standing experience of the proposers in the field of cybersecurity, there is a sharp focus on the topics which are most important - in cybersecurity value comes with experience. 

We will focus initially on the automation of routine tasks and set up standard communication channels with the SPOs. This will with the ramp-up of the service enable us to spend focused time on the analysis of vulnerability patterns and the consulting of SPO by sharing best practices.

Where required we will provide consulting support on a chargeable basis.

This is the budget breakdown per milestone:

Budget Milestone 1: Project setup & administration

• Project setup & PoL/SoM (20 hours x 250 ADA) = 5000 ADA 
• People (3 people x 3 hours/day x 20 days x 250 ADA = 45000 ADA)
• Tools: 
• Cloud: 2 Instances = 2500 ADA
• Subscriptions: 1250 ADA
• Total: 53750 ADA 

Budget Milestone 2: Configuration & Test Environment

• People (3 people x 3 hours/day x 20 days x 250 ADA) = 45000 ADA
• Tools:
• Cloud: 3 Instances = 3750 ADA
• Subscriptions: 1250 ADA
• Total: 50000 ADA 

Budget Milestone 3: Onboarding & Scanning test run

• People (3 people x 3 hours/day x 20 days x 250 ADA) = 45000 ADA
• Tools
• Cloud: 3 Instances = 3750 ADA
• Subscriptions: 1250 ADA
• Total: 50000 ADA 

Budget Milestone 4 - 12: Ongoing scanning (figures are per milestone)

• People (3 people x 2 hours/day x 30 days x 250 ADA) = 45000 ADA/milestone
• Tools
• Cloud:
• Milestone 4: 5 Instances = 6250 ADA/milestone
• Milestone 5 - 12: 10 Instances = 12500 ADA/milestone
• Subscriptions: 1250 ADA

• Total (per milestone):
• Milestone 4: 52500 ADA/milestone

• Milestone 5 - 12: 58750 ADA/milestone

• Total: (M4 - M12): 522500 ADA

[RESOURCES & VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

We are estimating to scan about 7000 servers per scanning round (month) after our ramp-up phase. 

This means that after milestone 4, we will perform around 56000 scans over a period of 8 months (excluding the scans in the ramp-up phase). Based on the requested budget a scan will cost less than USD 3.40 per scan, with the potential to be even less with a higher number of scans (servers/frequency).

[IMPORTANT NOTE] The Applicant agreed to Fund10 rules and also that data in the Submission Form and other data provided by the project team during the course of the project will be publicly available.

I Accept