Write documentation on secure dApp development

[GENERAL] Name and surname of main applicant

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

Create code and a how-to that shows the process of test-driven development and product certification using Helios

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

Helios

potential-robot

https://cardano.ideascale.com/c/idea/113102

[GENERAL] Will your project’s output/s be fully open source?

[GENERAL] Please provide here more information on the open source status of your project outputs

will be licensed under MIT license

[SOLUTION] Please describe your proposed solution.

Common Criteria is a language for security requirements for software products recognized by the US, the EU and several other countries.

The developer must claim a level of Certification, to do this they need to write a Security Target and a Conformance Claim which are used by an independent auditor to evaluate the product and issue a certificate.

We will create a dApp component and its Security Target, which will be validated by the members of the Certification Working Group, which includes representatives of companies that are trusted with auditing software on Cardano.

This will allow Cardano developers to copy the process.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

Currently a dApp developer needs access to an expert in Formal Systems and Software Verification, which are rare and expensive skills.

This makes certifying their products inaccessible to many teams and slows down the ecosystem growth: for example CARDAX audit was valuated at 80000$ at Fund 8.

We will democratize this process and allow teams to develop a dApp at the lowest level of certification using JavaScript, which will lower skill centralization.

The long term effect is that there will be more trusted products developed by small teams in Africa, South America and developing countries

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Alex Seregin is an open source enthusiast with over 15 years of experience leading impact projects.

This work is validated by members of Certification Working Group which includes auditors and formal verification experts from MLabs, IOG and Tweag.

A prototype exists which needs improvement and documentation.

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

This milestone covers the finalized source code for potential-robot, a simple architecture example of a dApp component in Helios using vesting smart contract as an example.

The following is needed:

• write the Conformance Claim
• Write the testing plan
• Write the tests
• Validate the tests.
• Refactor the code
• Document the code

To verify that the milestone is complete

the CI checks must pass on GitHub:

It has to be manually verified that the tests correspond to the test coverage plan and that the test coverage plan is described in the Security Target.

This milestone covers writing the Security Target, for which the following is needed:

• research the existing STs
• research the existing Conformance Claims
• compile the data necessary to write the ST for potential robot
• write the ST
• validate the ST with the Certification Working Group

The security target is a document, which must be validated through a consensus mechanism in the Certification working group.

The consensus mechanism is described in the working group documentation repository.

The final milestone covers writing the proposal and verifying:

• that the Conformance Claim in the Security Target covers the level of certification,
• the testing plan corresponds the requirements described in the Conformance Claim,
• the tests follow the testing plan,
• the tests are validated by the CI runner
• the document exists that describes this process to other developers.

[RESOURCES] Who is in the project team and what are their roles?

Aleksei Seregin is a programmer and an enthusiast in the Cardano Ecosystem.

https://www.linkedin.com/in/alex-seregin/

Certification Working Group is a community working group. The list of members of Certification working group can be found in the Working Groups discord server, link to which can be found in the working groups github repository, which is linked in this proposal.

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

1 x developer (24 weeks):

• Finalize the code base
• Research the Common Criteria
• Write the guide
• Write the documents
• Discuss with the Developer Experience working group
• Discuss with the Certification working group

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The proposed project's cost represents value for money for the Cardano ecosystem by addressing critical security and usability concerns related to dApp development.

By investing in the development of a this project Cardano can provide good balance between accessibility and security to the developers.

Consider that we are making secure dApp development accessible to the users of JavaScripe, one of the largest dev communities that exists:

This fosters developer trust and confidence in Cardano.

Additionally, this improves Developer Experience on Cardano.

In essence, the project's cost translates into enhanced security, usability, and overall ecosystem stability, making it a sound investment for Cardano.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.