SPOUSE: Open and Self-hosted SPO Security Evaluation Tool

[GENERAL] Name and surname of main applicant

Kiriakos Krastillis

[GENERAL] Email address of main applicant

c10-spouse@evolute.software

Additional applicants

I am submitting this proposal as a sole proposer representing evolute.software

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

4

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

No

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.” .

No dependencies.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] If NO, please describe which outputs are not going to be open source. If YES, please write “Project will be fully open source.”

Project will be fully open source.

[METADATA] Category of proposal

SPOs

[IMPACT] Please describe your proposed solution.

This project has three main impacts:

1. It gives SPOs much needed tools to shed light into their infrastructure and address important issues in their setup. Having spoken with a multitude of SPOs the pattern becomes clear, it is difficult for smaller SPO operations (roughly 2500 pools) to create custom security infrastructure as this is difficult and time consuming work.
2. It creates a personalized gateway through which SPOs can improve their skills and understanding of SPO Security Topics. Instead of digging through tons of ITSec literature and having to evaluate what makes sense in the context of an SPO they will be presented with clear issue descriptions, mitigation options, etc.
3. Being open source and a tool an SPO will be using periodically, it can work as a starting point for enhancing SPO education as it exactly knows how the pool is set up, what issues it had, what has been fixed, etc.

Additionally

• compared to projects (past and present) that address the SPO security landscape, this tool is not a one-off thing. Once an SPO has it setup, they can periodically check their Pool.
• As the tool is completely open source, the community can contribute tests and improvement as well, increasing the quality and security improvements of the SPO community over time

[IMPACT] How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

1. SPOs will have a low effort and low barrier of entry way to establish a continuous overview of their pool's security landscape.
2. SPOs will finally have a way to track things they can do to improve their pool setup
3. SPOs will have opportunity to efficiently and effectively learn new IT security skills as the tool can give them specific guidance on what is wrong and why that is important.
4. Hopefully we won't have any more hacks due to exposed docker sockets, unprotected grafana instances, etc.

[IMPACT] How do you intend to measure the success of your project?

There are a lot of success indicators that can be consulted

• git clones over time
• github forks/stars of the repo
• SPO talk on twitter, etc

Additionally the following KPIs are planned in the project

• SPO outreach to beta test the tool before public availability. We intend to work with 10-20 SPOs with varying levels of IT proficiency to ensure the tool and documentation work as intended
• Anonymous usage reports, a way for SPOs to anonymously confirm that they use SPOUSE

[IMPACT] Please describe your plans to share the outputs and results of your project?

Software:

As with prior projects, work is going to be completely in the open. Our current projects can all be found in the evolute.software github and SPOUSE will also be there. As already stated, we are of the opinion that tools like these HAVE to be open source to work well, so SPOUSE will always be open source.

Project:

In most evolute projects you get a bi-weekly project report (eg: https://permanentum.io/#blog) for SPOUSE this will be the same.

Product:

Even after this catalyst proposal ends there surely will be continued work on this product (either directly community driven or vie follow up catalyst proposals) and users talking about it.

[CAPABILITY/ FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability?

evolute.software has been active in Cardano since 2020 with a variety of projects. We have a history of delivering software. Kiriakos Krastillis has over two decades of professional IT experience, either as a developer or as a manager. evolute.software is well networked in the software development and it security domains. We casually bring on domain experts to add extra depth on advanced topics but on our own we also are formidable pen testers and devs.

[CAPABILITY/ FEASIBILITY] What are the main goals for the project and how will you validate if your approach is feasible?

The goals of the project are to give SPOs the tools they are missing to

1. Identify the security landscape of their pool
2. Find ways to improve that landscape
3. Learn about security best practices
4. Track their pool's security landscape over time
5. Give SPOs a common vocabulary to discuss security practices over (by using the same tool)

[CAPABILITY/ FEASIBILITY] Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

Milestones:

1. Test Selection: Work together with industry experts to see which security tests, pentests or open source tools make most sense to integrate into SPOUSE
2. Infrastructure Setup: Create the base project with a web UI that can take up the pool’s details and execute pentest processes against that pool
3. Tools Implementation: Timebox to implement as many tools (from the “test selection" milestone) as possible within one month
4. SPO outreach: Test with 10-20 SPOs of varying technical expertise to see how the tool is being used, what can be improved and where documentation is needed.
5. Documentation and Finding Mitigation Techniques: Create documentation on how to use the SPOUSE modules and how to mitigate significant findings

Notes:

• SPO outreach: we already have done the outreach with regards to finding out what the quality of security monitoring is across SPOs. The outreach milestone at the end of this proposal is only there to re-evaluate those previous findings and to see how much of a difference the tool makes.
• Infrastructure Setup: some might wonder why there is a separate milestone for setting up the software repository and base scaffold for the application. The answer is twofold. For one we need to ensure that the tool will be easy to obtain and run. Doing this should not be more than "git clone && docker compose up". On the other side, running pentesting tools in containers is not always straight forward. A lot of tools need root priviledges and some expect user interaction. Based on the tools we select in M1 we will have to create an elaborate set up to make these work.

[CAPABILITY/ FEASIBILITY] Please describe the deliverables, outputs and intended outcomes of each milestone.

1. Test Selection: A report on what pentesting tools, tests etc make most sense for the SPO security landscape
2. Infrastructure Setup: A base project on github (working code)
3. Tools Implementation: The (mostly) finished product, in a github repository
4. SPO outreach: A report about how SPOs experienced using SPOUSE
5. Documentation and Finding Mitigation Techniques: An improvement to the software from M3 that adds more content to the UI. Final end user documentation.

[RESOURCES & VALUE FOR MONEY] Please provide a detailed budget breakdown of the proposed work and resources.

The following are stated in FTE days

M1: 7 Evolute + 7 IT-Sec experts

M2: 5 Evolute

M3: 30 Evolute + 3 IT-Sec experts

M4: 5 Evolute

M5: 5 Evolute

Total: Evolute 52, IT-Sec experts 10

Day Rates: Evolute 760€, IT-Sec experts 600

VAT: 19%

Total cost: 47028.8 + 7140 = 54169€ = 186789₳

[RESOURCES & VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

Protecting our SPO's operations is more than protecting the SPOs. It also hardens our network against coordinated attacks, DOS, etc. Obviously, a successful coordinated attack against a blockchain can produce millions (if not more) in value loss.

While this project cannot guarantee that Cardano will be protected against such coordinated attacks, it is the first in a series of many steps that need to be taken. Each of which will make our ecosystem more robust.

[IMPORTANT NOTE] The Applicant agreed to Fund10 rules and also that data in the Submission Form and other data provided by the project team during the course of the project will be publicly available.

I Accept