BrakeSec Education Podcast
2019-001: OWASP IoT Top 10 discussion with Aaron Guzman
Aaron Guzman: @scriptingxss
https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP SLACK: https://owasp.slack.com/
https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg
Team of 10 or so… list of “do’s and don’ts”
Sub-projects? Embedded systems, car hacking
Embedded applications best practices? *potential show*
Standards: https://xkcd.com/927/
CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
How did you decide on the initial criteria?
Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
2014 list:
BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3
OWASP SLACK: https://owasp.slack.com/
What didn’t make the list? How do we get Devs onboard with these?
How does someone interested get involved with OWASP Iot working group?
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf