Iagon: Architecture and Security Audit for Enterprise Adoption

[GENERAL] Name and surname of main applicant

Navjit Dhaliwal

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Entity (Incorporated)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

4

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

The auditors are well known cyber security companies that have experience working with small and large enterprise clients. They will conduct a full scale audit of the Iagon infrastructure.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

Yes

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

Iagon will closely collaborate with the auditors on the assessment and remediation.

[GENERAL] Will your project’s output/s be fully open source?

No

[GENERAL] Please provide here more information on the open source status of your project outputs

The outputs of the audit itself are detailed summaries of the discovered issues and vulnerabilities, often based on open standards, but they are not code itself, hence they cannot be open sourced. We will share executive summaries of the findings, as long as doing so does not compromise the security and integrity of our offering.

The code changes that will be made to remediate the findings will be open source if the original code base is open source, and closed source otherwise, in order to protect the intellectual property of Iagon.

[METADATA] Horizons

Infrastructure

[SOLUTION] Please describe your proposed solution

Iagon will leverage the services of the chosen auditors to engage in a full scale audit of the Iagon architecture as it is an important step to verifying the network in preparation for the Fortune 500 pilot.

This audit will evaluate the Iagon system, identify any possible vulnerabilities in the network and ensure its safety and security. Doing so will give Iagon the validation it needs from a well established auditing firm and will support a smooth continuation of enterprise adoption.

We are currently in talks with well-established firms like SecureWorks and Tweag for their expertise in security and architectural auditing. However, we are also exploring other options to ensure we choose the best fit for our needs.

The assessment will cover a variety of industry standard audits and security tests, including but not limited to:

• A high level architectural audit of all core web and blockchain components involved in running the network
• A penetration test of external facing services
• A web application security assessment for each of the web apps used to provide our core product offering

Iagon will also add Static Application Security Testing (SAST) and dependency analysis, as well as container scanning to our Software Development Lifecycle (SDLC) where applicable and not already present. These are common practices to prevent unsafe software by avoiding insecure code changes or using libraries that have security vulnerabilities.

What the audit will not cover:

• The Iagon smart contracts are already in the process of being audited and currently in the remediation phase, and as such will not require another audit phase.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community

The audit will ensure the integrity of the system and will inspire the confidence that enterprise customers are looking for when seeking to move forward with the Iagon network for large scale implementations and business and consumer adoption. 

This is an important step in strengthening Iagon's ongoing business relationship and advancing the pilot program, which aims to highlight the potential of the Cardano ecosystem and expand its enterprise adoption use cases.

The success of the project will be measured by the final executive summary of the audit report. The companies hired to perform the audit will provide Iagon with an initial security audit, that includes all findings and their severity. Iagon will then address any findings according to their risk, impact and applicability within the current architecture. Once all necessary findings have been addressed, a reverification of the items will be performed by the contracted companies to confirm appropriate resolution.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Given the importance of this audit and what it could mean for the future traction of Iagon and Cardano, Iagon is ensuring that the companies selected to conduct the audits are amongst the top auditing firms in the software industry and that no compromise is being made on the quality of the assessments.

The auditing companies will be high-profile enterprise auditing firms, which gives the Cardano Community the confidence that the audit is being conducted with quality and integrity.

With their strong reputation and proven track record, Iagon and its community can be confident that the audit will be conducted with the highest level of trust, thoroughness, and accountability.

Our CTO is a knowledgeable datacenter operator with decades of experience in securing infrastructure and networks, leveraging industry best practices. Our Tech Lead has been building compliant and secure software for large enterprises in the healthcare and financial sectors since 2009 and been involved in half a dozen large scale security audits during this time. Findings from the auditing companies will be swiftly assessed and addressed, ensuring complete coverage of all important issues.

Please describe your plans to share the outputs and results of your project?

Iagon will share an executive summary or a version of the executive summary that is adjusted for sensitive information with the public. Executive summaries commonly contain high-level information on the findings, and if they were addressed, or are still open, and what any associated resolutions may be. If the executive summary provided by the auditors contains sensitive information, the respective parts may be redacted.

A security assessment is commonly done in two phases - the initial findings and a retest after remediation. We may opt to share one or both summaries, depending on if any remediation is necessary.

What are the main goals for the project and how will you validate if your approach is feasible?

The main goal of this project is to demonstrate to our enterprise partners the safety and security of the Iagon network and to validate that the network is ready to scale and support enterprise adoption. In doing so, the audit will identify any possible areas of improvement if necessary and allow us to move forward with clarity and a seal of approval.

Security audits are a common practice in the software industry, and are applicable for any project size or scope. Iagon, with a blend of installable software for end users and client/server infrastructure for Web 2.0 and Blockchain technology, will be able to follow.

[PROJECT MILESTONES] What are the key milestones you need to achieve in order to complete your project successfully?

Vendor Selection and Announcement

Objective:

Select one or more vendors for the security audit and publicly announce their selection through our social channels (Twitter, Discord, and blog).

Outputs and Acceptance Criteria:

• Vendor Shortlist and Comparison Overview:
• A refined list of potential vendors based on services, pricing, and suitability.
• A comparative analysis highlighting each vendor's strengths and ability to meet our needs.
• Signed Agreements:
• Formalized contract agreements signed with the selected vendor(s), outlining the scope of work and terms. Not shared with the public. A redacted version can be shared with Catalyst, if the audit firm(s) agree(s).
• Public Announcement:
• A blog post and social media updates introducing the selected vendor(s) to the community.

Completion of Initial Security Audit

Objective:

Conduct the initial security audit and receive detailed reports from the selected audit firm(s). The initial security audit report is delivered by the audit company or companies. The executive summaries or a redacted version of them can be made available to the Catalyst Team, but will not be shared with the public prior to addressing any findings. This will allow us to evaluate the severity, address issues in Milestone 3 and close any security gaps prior to completing the project, before allowing external parties insights into potentially sensitive vulnerabilities.

Outputs and Acceptance Criteria:

• Initial Security Audit Reports:
• Comprehensive reports identifying any security risks or vulnerabilities within the project (not made public).
• Executive Summary (Redacted):
• A concise, redacted version of the audit report to be shared with the Catalyst Team upon request.
• This summary will not be made public prior to addressing the identified issues.
• Audit Communication Plan:
• A strategy outlining how and when the audit results will be communicated to key stakeholders and team members.

Addressing Findings and Audit Retest

Objective:

All findings that are of a certain criticality (commonly high and critical, following CVSS 3.0 or similar systems) need to be addressed. After remediation, a retest is performed by the audit firm(s).

Outputs and Acceptance Criteria:

• Issue Resolution Report:
• Documentation detailing how each critical and high-priority security issue has been resolved or a plan for addressing them.
• Lower-priority items will be addressed as feasible by the team.
• Retest Confirmation (Executive Summary):
• A follow-up executive summary from the audit firm confirming that critical issues have been successfully addressed.
• This may include confirmation of alternative mitigation strategies where appropriate.
• Public Update:
• A redacted version of the retest executive summary to be shared with the public once critical issues are resolved, ensuring transparency while maintaining security integrity.

[RESOURCES] Who is in the project team and what are their roles?

Iagon Team: 

1. Navjit Dhaliwal, CEO
2. Holger, CTO
3. Nils, Tech Lead

The Iagon team will be used to evaluate and hire the teams from the chosen auditing companies who will be responsible for conducting the audit.

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources

Full Architectural Audit: 

Estimated Cost: 238,095 ADA

Web Application Security Assessments and Penetration tests:

Estimated Cost: 142,858 ADA

It includes separate security assessments and penetration tests for at least two applications (Compute and Storage) to ensure thorough testing across the board.

Remediation work

Estimated Cost: 119,047 ADA

Total Estimated Budget: 500,000 ADA

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

Through this audit, Iagon can move forward with its pilot program which has the potential to bring millions of new eyes to the Cardano ecosystem. In doing so, Cardano, and the projects building on it, will be exposed to a whole new wave of users and investors. This form of enterprise adoption would significantly increase the rate of adoption of Cardano and would demonstrate the advantages that Cardano presents for enterprise.