2019-001: OWASP IoT Top 10 discussion with Aaron Guzman

36:54
 
Share
 

Manage episode 225014718 series 124251
By Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio streamed directly from their servers.

Aaron Guzman: @scriptingxss

https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

OWASP SLACK: https://owasp.slack.com/

https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

Team of 10 or so… list of “do’s and don’ts”

Sub-projects? Embedded systems, car hacking

Embedded applications best practices? *potential show*

Standards: https://xkcd.com/927/

CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

How did you decide on the initial criteria?

  1. Weak, Guessable, or Hardcoded passwords
  2. Insecure Network Services
  3. Insecure Ecosystem interfaces
  4. Lack of Secure Update mechanism
  5. Use of insecure or outdated components
  6. Insufficient Privacy Mechanisms
  7. Insecure data transfer and storage
  8. Lack of device management
  9. Insecure default settings
  10. Lack of physical hardening

2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

2014 list:

BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

OWASP SLACK: https://owasp.slack.com/

What didn’t make the list? How do we get Devs onboard with these?

How does someone interested get involved with OWASP Iot working group?

https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

277 episodes available. A new episode about every 7 days averaging 51 mins duration .