Preview Mode Links will not work in preview mode

Jan 14, 2019

Aaron Guzman: @scriptingxss

https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

OWASP SLACK: https://owasp.slack.com/

https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

Team of 10 or so… list of “do’s and don’ts”

Sub-projects? Embedded systems, car hacking

Embedded applications best practices? *potential show*

Standards: https://xkcd.com/927/

CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

How did you decide on the initial criteria?

  1. Weak, Guessable, or Hardcoded passwords
  2. Insecure Network Services
  3. Insecure Ecosystem interfaces
  4. Lack of Secure Update mechanism
  5. Use of insecure or outdated components
  6. Insufficient Privacy Mechanisms
  7. Insecure data transfer and storage
  8. Lack of device management
  9. Insecure default settings
  10. Lack of physical hardening

2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

2014 list:

BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

OWASP SLACK: https://owasp.slack.com/

What didn’t make the list? How do we get Devs onboard with these?

How does someone interested get involved with OWASP Iot working group?

https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

 

https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

 

https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf