https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=YunsoulOWASP - User contributions [en]2026-04-29T19:17:27ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226447OWASP Robot Security Project2017-02-17T07:48:38Z<p>Yunsoul: /* Project About */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
{{:Projects/OWASP_Robot_Security_Project}}<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226446OWASP Robot Security Project2017-02-17T07:44:51Z<p>Yunsoul: Undo revision 226445 by Yunsoul (talk)</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226445OWASP Robot Security Project2017-02-17T07:43:47Z<p>Yunsoul: /* Project About */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/OWASP_Robot_Security_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226443OWASP Robot Security Project2017-02-17T07:40:34Z<p>Yunsoul: /* Project About */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226442OWASP Robot Security Project2017-02-17T07:40:03Z<p>Yunsoul: /* Project About */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226441OWASP Robot Security Project2017-02-17T07:38:37Z<p>Yunsoul: Undo revision 226440 by Yunsoul (talk)</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226440OWASP Robot Security Project2017-02-17T07:27:10Z<p>Yunsoul: /* Project About */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226439OWASP Robot Security Project2017-02-17T07:26:08Z<p>Yunsoul: /* Road Map and Getting Involved */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
===Define Robot's Security Area===<br />
* define a robot<br />
* define robot's security layer<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
<br />
<br />
===Make a Security Guideline(interface, communication, authentication, etc)===<br />
* define countermeasures of attack vector<br />
* define robot's identification spec. and methods<br />
* guideline for robot hardware/sensor development<br />
* guideline for external interface of robot<br />
* guideline for software development<br />
* guideline for robot OS<br />
* guideline for robot's communication/transport layer<br />
* guideline for robot's (dynamic) authentication<br />
* guideline for robot's cloud layer<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226438OWASP Robot Security Project2017-02-17T07:09:08Z<p>Yunsoul: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
* define robot's security area<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
* make a guideline(interface, communication, authentication, etc)<br />
<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.<br />
</span> <br />
<br />
<span style="color:#ff0000"><br />
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active. <br />
</span><br />
<br />
As of October 2013, the priorities are:<br />
* Finish the referencing for each principle.<br />
* Update the Project Template.<br />
* Use the OWASP Press to develop a book.<br />
* Finish and publish the book on Lulu.<br />
<br />
Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some of the principles.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing support for the book.<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Robot_Security_Project&diff=226437OWASP Robot Security Project2017-02-17T07:03:03Z<p>Yunsoul: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]<br />
'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://owasp.org/index.php/User:Yunsoul Yunsoul]<br />
* [https://github.com/sublimino Andrew Martin]<br />
* [https://github.com/Lambdanaut Josh Thomas]<br />
* '''YOUR NAME BELONGS HERE'''<br />
<br />
= Road Map and Getting Involved =<br />
<br />
* define robot's security area<br />
* define attack surface<br />
* define attack vector<br />
* make threat modeling<br />
* make a guideline(interface, communication, authentication, etc)<br />
<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.<br />
</span> <br />
<br />
<span style="color:#ff0000"><br />
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active. <br />
</span><br />
<br />
As of October 2013, the priorities are:<br />
* Finish the referencing for each principle.<br />
* Update the Project Template.<br />
* Use the OWASP Press to develop a book.<br />
* Finish and publish the book on Lulu.<br />
<br />
Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some of the principles.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing support for the book.<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=User:Yunsoul&diff=226436User:Yunsoul2017-02-17T07:01:43Z<p>Yunsoul: </p>
<hr />
<div>Security Engineer<br />
* ...................................................................................................<br />
* <br />
* My Project : [https://owasp.org/index.php/OWASP_Robot_Security_Project OWASP Robot Security Project]<br />
* Contribute to : [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project OWASP Internet of Things Project]<br />
* <br />
* reverse engineering (x86, ARM, bytecode)<br />
* IoT(Internet of Things) security<br />
* anti-virus (anti-virus engine for pc and mobile)<br />
* mobile security (mobile app security, mobile game security)<br />
* malware analysis<br />
* system programming<br />
* windows kernel driver<br />
* interested in distributed(non-central)communication & athentication(authentication without trust) system<br />
* like rock (heavy metal) & hip-hop music<br />
* like scribbling anything<br />
* learning Haskell<br />
* and my mind<br />
* [mailto:happyme9@naver.com happyme9@naver.com]<br />
* ...................................................................................................</div>Yunsoulhttps://wiki.owasp.org/index.php?title=User:Yunsoul&diff=226435User:Yunsoul2017-02-17T07:00:35Z<p>Yunsoul: </p>
<hr />
<div>Security Engineer<br />
* ...................................................................................................<br />
* <br />
* My Project : [https://owasp.org/index.php/OWASP_Robot_Security_Project OWASP Robot Security Project]<br />
* <br />
* reverse engineering (x86, ARM, bytecode)<br />
* IoT(Internet of Things) security<br />
* anti-virus (anti-virus engine for pc and mobile)<br />
* mobile security (mobile app security, mobile game security)<br />
* malware analysis<br />
* system programming<br />
* windows kernel driver<br />
* interested in distributed(non-central)communication & athentication(authentication without trust) system<br />
* like rock (heavy metal) & hip-hop music<br />
* like scribbling anything<br />
* learning Haskell<br />
* and my mind<br />
* [mailto:happyme9@naver.com happyme9@naver.com]<br />
* ...................................................................................................</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=210442OWASP Internet of Things Project2016-03-04T05:39:11Z<p>Yunsoul: /* What is the IoT Security Guideline Project? */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= IoT Security Guideline =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Security Guideline Project ==<br />
<br />
The OWASP IoT Security Guideline provides follows :<br />
<br />
====== 1. Secure IoT Software Development Guideline ======<br />
----<br />
* Software(or SDK) Running on Device<br />
* Software Running on IoT Cloud Platform(server-side)<br />
<br />
<br />
====== 2. Secure IoT Hardware Development Guideline ======<br />
<br />
<br />
====== 3. Privacy Guideline for IoT Service/System ======<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Security Guideline Project? ==<br />
<br />
The IoT Security Guideline Project provides:<br />
<br />
* Software Development Guideline<br />
* Hardware Development Guideline<br />
* Privacy Guideline<br />
<br />
== Project Leaders ==<br />
<br />
*[https://www.owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/category/podcast/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=210441OWASP Internet of Things Project2016-03-04T05:37:44Z<p>Yunsoul: /* IoT Security Guideline Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= IoT Security Guideline =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Security Guideline Project ==<br />
<br />
The OWASP IoT Security Guideline provides follows :<br />
<br />
====== 1. Secure IoT Software Development Guideline ======<br />
----<br />
* Software(or SDK) Running on Device<br />
* Software Running on IoT Cloud Platform(server-side)<br />
<br />
<br />
====== 2. Secure IoT Hardware Development Guideline ======<br />
<br />
<br />
====== 3. Privacy Guideline for IoT Service/System ======<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Security Guideline Project? ==<br />
<br />
The IoT Security Guideline Project provides:<br />
<br />
* Coming Soon<br />
<br />
== Project Leaders ==<br />
<br />
*[https://www.owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/category/podcast/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=210440OWASP Internet of Things Project2016-03-04T05:37:00Z<p>Yunsoul: /* IoT Security Guideline Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= IoT Security Guideline =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Security Guideline Project ==<br />
<br />
The OWASP IoT Security Guideline provides follows :<br />
<br />
====== Secure IoT Software Development Guideline ======<br />
----<br />
* Software(or SDK) Running on Device<br />
* Software Running on IoT Cloud Platform(server-side)<br />
<br />
<br />
====== Secure IoT Hardware Development Guideline ======<br />
----<br />
<br />
====== Privacy Guideline for IoT Service/System ======<br />
----<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Security Guideline Project? ==<br />
<br />
The IoT Security Guideline Project provides:<br />
<br />
* Coming Soon<br />
<br />
== Project Leaders ==<br />
<br />
*[https://www.owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/category/podcast/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=210439OWASP Internet of Things Project2016-03-04T05:32:53Z<p>Yunsoul: /* IoT Security Guideline Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= IoT Security Guideline =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Security Guideline Project ==<br />
<br />
The OWASP IoT Security Guideline provides follows :<br />
<br />
* Secure IoT Software Development Guideline<br />
* Software(or SDK) Running on Device<br />
* Software Running on IoT Cloud Platform(server-side)<br />
<br />
<br />
* Secure IoT Hardware Development Guideline<br />
<br />
* Privacy Guideline for IoT Service/System<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Security Guideline Project? ==<br />
<br />
The IoT Security Guideline Project provides:<br />
<br />
* Coming Soon<br />
<br />
== Project Leaders ==<br />
<br />
*[https://www.owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/category/podcast/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=210438OWASP Internet of Things Project2016-03-04T04:52:06Z<p>Yunsoul: /* Project Leaders */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= IoT Security Guideline =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Security Guideline Project ==<br />
<br />
The OWASP IoT Security Guideline provides follows :<br />
Coming Soon<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Security Guideline Project? ==<br />
<br />
The IoT Security Guideline Project provides:<br />
<br />
* Coming Soon<br />
<br />
== Project Leaders ==<br />
<br />
*[https://www.owasp.org/index.php/User:Yunsoul Yunsoul]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/category/podcast/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=User:Yunsoul&diff=209930User:Yunsoul2016-02-29T05:03:38Z<p>Yunsoul: </p>
<hr />
<div>Security Engineer<br />
* ..........................................................................................................<br />
* reverse engineering (x86, ARM, bytecode)<br />
* IoT(Internet of Things) security<br />
* anti-virus (anti-virus engine for pc and mobile)<br />
* mobile security (mobile app security, mobile game security)<br />
* malware analysis<br />
* system programming<br />
* windows kernel driver<br />
* interested in distributed(non-central)communication & athentication(authentication without trust) system<br />
* like rock (heavy metal) & hip-hop music<br />
* like scribbling anything<br />
* learning Haskell<br />
* and my mind<br />
* [mailto:happyme9@naver.com happyme9@naver.com]<br />
* ..........................................................................................................</div>Yunsoulhttps://wiki.owasp.org/index.php?title=User:Yunsoul&diff=209929User:Yunsoul2016-02-29T05:01:57Z<p>Yunsoul: </p>
<hr />
<div>Security Engineer<br />
* ..........................................................................................................<br />
* reverse engineering (x86, ARM, bytecode)<br />
* IoT(Internet of Things) security<br />
* anti-virus (anti-virus engine for pc and mobile)<br />
* mobile security (mobile app security, mobile game security)<br />
* malware analysis<br />
* system programming<br />
* windows kernel driver<br />
* interested in distributed(non-central)communication & athentication(authentication without trust) system<br />
* like rock (heavy metal) & hip-hop music<br />
* like scribbling anything<br />
* learning Haskell<br />
* and my mind<br />
* happyme9@naver.com<br />
* ..........................................................................................................</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=209928OWASP Internet of Things Project2016-02-29T05:00:50Z<p>Yunsoul: </p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= IoT Security Guideline =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Security Guideline Project ==<br />
<br />
The OWASP IoT Security Guideline provides follows :<br />
Coming Soon<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Security Guideline Project? ==<br />
<br />
The IoT Security Guideline Project provides:<br />
<br />
* Coming Soon<br />
<br />
== Project Leaders ==<br />
<br />
* Yunsoul<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/category/podcast/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=209927OWASP Internet of Things Project2016-02-29T04:53:20Z<p>Yunsoul: </p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= IoT Security Guideline =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Security Guideline Project ==<br />
<br />
The OWASP IoT Security Guideline provides follows :<br />
Coming Soon<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Security Guideline Project? ==<br />
<br />
The IoT Security Guideline Project provides:<br />
<br />
* Coming Soon<br />
<br />
== Project Leaders ==<br />
<br />
* Yunsoul<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/category/podcast/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=User:Yunsoul&diff=208497User:Yunsoul2016-02-11T00:53:57Z<p>Yunsoul: </p>
<hr />
<div>Security Engineer<br />
* ..........................................................................................................<br />
* reverse engineering (x86, ARM, bytecode)<br />
* IoT(Internet of Things) security<br />
* anti-virus (anti-virus engine for pc and mobile)<br />
* mobile security (mobile app security, mobile game security)<br />
* malware analysis<br />
* system programming<br />
* windows kernel driver<br />
* interested in distributed(non-central)communication & athentication(authentication without trust) system<br />
* like rock (heavy metal) & hip-hop music<br />
* like scribbling anything<br />
* learning Haskell<br />
* and my mind<br />
* ..........................................................................................................</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I2_Insufficient_Authentication/Authorization&diff=208175Top 10 2014-I2 Insufficient Authentication/Authorization2016-02-05T06:58:04Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the web interface, mobile interface or cloud interface including internal and external users.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses weak passwords, insecure password recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface. Attack could come from external or internal users.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Authentication may not be sufficient when weak passwords are used or are poorly protected. Insufficient authentication/authorization is prevalent as it is assumed that interfaces will only be exposed to users on internal networks and not to external users on other networks. Deficiencies are often found to be present across all interfaces. Many Issues with authentication/authorization are easy to discover when examining the interface manually and can also be discovered via automated testing.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insufficient authentication/authorization can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete compromise of the device and/or user accounts.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of compromised user accounts and possibly devices. All data could be stolen, modified, or deleted. Could your customers be harmed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Is My Authentication/Authorization Sufficient?|position=firstLeft|year=2013|language=en}}<br />
<br />
Checking for Insufficient Authentication includes:<br />
* Attempting to use simple passwords such as "1234" is a fast and easy way to determine if the password policy is sufficient across all interfaces<br />
* Reviewing network traffic to determine if credentials are being transmitted in clear text<br />
* Reviewing requirements around password controls such as password complexity, password history check, password expiration and forced password reset for new users<br />
* Reviewing whether re-authentication is required for sensitive features<br />
<br />
Checking for Insufficient Authorization includes:<br />
* Reviewing the various interfaces to determine whether the interfaces allow for separation of roles. For example, all features will be accessible to administrators, but users will have a more limited set of features available.<br />
* Reviewing access controls and testing for privilege escalation<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Make My Authentication/Authorization Better?|position=right|year=2013|language=en}}<br />
Sufficient authentication/authorization requires:<br />
# Ensuring that the strong passwords are required<br />
# Ensuring granular access control is in place when necessary<br />
# Ensuring credentials are properly protected<br />
# Implement two factor authentication where possible<br />
# Ensuring that password recovery mechanisms are secure<br />
# Ensuring re-authentication is required for sensitive features<br />
# Ensuring options are available for configuring password controls<br />
# Ensuring credential can be revoked<br />
# The app authentication is required<br />
# The device authentication is required<br />
# The server authentication is required<br />
# Manage authenicated user id(credential info.) and the user's device id, the user's app id mapping table in the authentication server<br />
# Ensuring that the authentication token/session key issuing to client is always different<br />
# Ensuring that the user id, app id, device id is universally unique<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' The interface only requires simple passwords.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Username = Bob; Password = 1234<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Username and password are poorly protected when transmitted over the network.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Authorization: Basic YWRtaW46MTIzNA==<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
[https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management Top 10 2013-A2-Broken Authentication and Session Management]<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I9_Insecure_Software/Firmware&diff=208174Top 10 2014-I9 Insecure Software/Firmware2016-02-05T06:57:11Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device and/or the network the device resides on. Also consider anyone who could gain access to the update server.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses multiple vectors such as capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking. Depending on method of update and device configuration, attack could come from the local network or the internet.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>The lack of ability for a device to be updated presents a security weakness on its own. Devices should have the ability to be updated when vulnerabilities are discovered and software/firmware updates can be insecure when the updated files themselves and the network connection they are delivered on are not protected. Software/Firmware can also be insecure if they contain hardcoded sensitive data such as credentials. Security issues with software/firmware are relatively easy to discover by simply inspecting the network traffic during the update to check for encryption or using a hex editor to inspect the update file itself for interesting information.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insecure software/firmware could lead to compromise of user data, control over the device and attacks against other devices.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact if data can be stolen or modified and devices taken control of for the purpose of attacking other devices. Could your customers be harmed? Could other users be harmed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Is My Software/Firmware Secure?|position=firstLeft|year=2013|language=en}}<br />
* Note - It is very important that devices first and foremost have the ability to update and perform updates regularly.<br />
Checking for insecure software/firmware updates include:<br />
* Reviewing the update file itself for exposure of sensitive information in human readable format by someone using a hex edit tool<br />
* Reviewing the production file update for proper encryption using accepted algorithms<br />
* Reviewing the production file update to ensure it is properly signed<br />
* Reviewing the communication method used to transmit the update<br />
* Reviewing the cloud update server to ensure transport encryption methods are up to date and properly configured and that the server itself is not vulnerable<br />
* Reviewing the device for proper validation of signed update files<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Secure My Software/Firmware?|position=right|year=2013|language=en}}<br />
Securing software/firmware require:<br />
# Ensuring the device has the ability to update (very important, need secure update mechanism)<br />
# Ensuring the update file is encrypted using accepted encryption methods<br />
# Ensuring the update file is transmitted via an encrypted connection<br />
# Ensuring the update file does not expose sensitive data<br />
# Ensuring the update is signed and verified before allowing the update to be uploaded and applied<br />
# Ensuring the update server is secure<br />
# Implement the secure boot if possible (chain of trust)<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' Update file is transmitted via HTTP.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
<nowiki>http://www.xyz.com/update.bin</nowiki><br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Update file is unencrypted and human readable data can be viewed.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
�v�ñ]��Ü��Qw�û]��ˇ3DP�Ö�∂]��ˇ3DPadmin.htmadvanced.htmalarms.htm<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker is able to either capture the update file or capture the file and view it's contents.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I7_Insecure_Mobile_Interface&diff=208173Top 10 2014-I7 Insecure Mobile Interface2016-02-05T06:53:45Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the mobile application.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses multiple vectors such as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the mobile interface.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>An insecure mobile interface is present when easy to guess credentials are used or account enumeration is possible. Insecure mobile interfaces are easy to discover by simply reviewing the connection to the wireless networks and identifying if SSL is in use or by using the password reset mechanism to identify valid accounts which can lead to account enumeration.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>An insecure mobile interface could lead to compromise of user data and control over the device.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of an insecure mobile interface. Data could be stolen or modified and control over devices assumed. Could your customers be harmed? Could your brand be harmed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Is My Mobile Interface Secure?|position=firstLeft|year=2013|language=en}}<br />
Checking for an Insecure Mobile Interface includes:<br />
* Determining if the default username and password can be changed during initial product setup<br />
* Determining if a specific user account is locked out after 3 - 5 failed login attempts<br />
* Determining if valid accounts can be identified using password recovery mechanisms or new user pages<br />
* Reviewing whether credentials are exposed while connected to wireless networks<br />
* Reviewing whether two factor authentication options are available<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Secure My Mobile Interface?|position=right|year=2013|language=en}}<br />
A secure mobile interface requires:<br />
# Default passwords and ideally default usernames to be changed during initial setup<br />
# Ensuring user accounts can not be enumerated using functionality such as password reset mechanisms<br />
# Ensuring account lockout after an 3 - 5 failed login attempts<br />
# Ensuring credentials are not exposed while connected to wireless networks<br />
# Implementing two factor authentication if possible<br />
# Apply mobile app obfuscation techinque<br />
# Implement mbile app anti-tempering mechanism<br />
# Ensuring the mobile app's memory hacking is possible<br />
# Restric the mobile app's execution on tempered OS environment<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' Password reset indicates whether account exist or not.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Password Reset<br />
"That account does not exist."<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Username and password are poorly protected when transmitted over the network.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Authorization: Basic S2ZjSDFzYkF4ZzoxMjM0NTY3<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker is able to either determine a valid user account or is able to capture the credentials as they cross the network and decode them since the credentials are only protected using Base64 Encoding.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks OWASP Top Ten Mobile Risks]<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I6_Insecure_Cloud_Interface&diff=208172Top 10 2014-I6 Insecure Cloud Interface2016-02-05T06:37:55Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the internet.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses multiple vectors such as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the cloud website. Attack will most likely come from the internet.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>An insecure cloud interface is present when easy to guess credentials are used or account enumeration is possible. Insecure cloud interfaces are easy to discover by simply reviewing the connection to the cloud interface and identifying if SSL is in use or by using the password reset mechanism to identify valid accounts which can lead to account enumeration.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>An insecure cloud interface could lead to compromise of user data and control over the device.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of an insecure cloud interface. Data could be stolen or modified and control over devices assumed. Could your customers be harmed? Could your brand be harmed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Is My Cloud Interface Secure?|position=firstLeft|year=2013|language=en}}<br />
Checking for a Insecure Cloud Interface includes:<br />
* Determining if the default username and password can be changed during initial product setup<br />
* Determining if a specific user account is locked out after 3 - 5 failed login attempts<br />
* Determining if valid accounts can be identified using password recovery mechanisms or new user pages<br />
* Reviewing the interface for issues such as cross-site scripting, cross-site request forgery and sql injection.<br />
* Reviewing all cloud interfaces for vulnerabilities (API interfaces and cloud-based web interfaces)<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Secure My Cloud Interface?|position=right|year=2013|language=en}}<br />
A secure cloud interface requires:<br />
# Default passwords and ideally default usernames to be changed during initial setup<br />
# Ensuring user accounts can not be enumerated using functionality such as password reset mechanisms<br />
# Ensuring account lockout after 3- 5 failed login attempts<br />
# Ensuring the cloud-based web interface is not susceptible to XSS, SQLi or CSRF<br />
# Ensuring credentials are not exposed over the internet<br />
# Implement two factor authentication if possible<br />
# Detect or block the abnormal reqests/attempts<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' Password reset indicates whether account is valid.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Password Reset "That account does not exist."<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Username and password are poorly protected when transmitted over the network.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Authorization: Basic S2ZjSDFzYkF4ZzoxMjM0NTY3<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker is able to either determine a valid user account or is able to capture the credentials as they cross the network and decode them since the credentials are only protected using Base64 Encoding.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
* [https://www.owasp.org/index.php/Top_10_2013-A1-Injection Top 10 2013-A1-Injection]<br />
* [https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Top 10 2013-A3-Cross-Site Scripting]<br />
* [https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) Top 10 2013-A8-Cross-Site Request Forgery (CSRF)]<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I5_Privacy_Concerns&diff=208171Top 10 2014-I5 Privacy Concerns2016-02-05T06:34:03Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device itself, the network the device is connected to, the mobile application and the cloud connection including external and internal users.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses multiple vectors such as insufficient authentication, lack of transport encryption or insecure network services to view personal data which is not being properly protected or is being collected unnecessarily. Attack could come from external or internal users.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Privacy concerns generated by the collection of personal data in addition to the lack of proper protection of that data is prevalent. Privacy concerns are easy to discover by simply reviewing the data that is being collected as the user sets up and activates the device. Automated tools can also look for specific patterns of data that may indicate collection of personal data or other sensitive data.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Collection of personal data along with a lack of protection of that data can lead to compromise of a user's personal data.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of personal data that is collected unnecessarily or isn't protected properly. Data could be stolen. Could your customers be harmed by having this personal data exposed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Does My Device Present Privacy Concerns?|position=firstLeft|year=2013|language=en}}<br />
Checking for Privacy Concerns includes:<br />
* Identifying all data types that are being collected by the device, its mobile application and any cloud interfaces<br />
* The device and it's various components should only collect what is necessary to perform its function<br />
* Personally identifiable information can be exposed when not properly encrypted while at rest on storage mediums and during transit over networks<br />
* Reviewing who has access to personal information that is collected<br />
* Determining if data collected can be de-identified or anonymized<br />
* Determining if data collected is beyond what is needed for proper operation of the device (Does the end-user have a choice for this data collection?)<br />
* Determining if a data retention policy is in place<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Prevent Privacy Concerns?|position=right|year=2013|language=en}}<br />
Minimizing privacy concerns requires:<br />
# Ensuring only data critical to the functionality of the device is collected<br />
# Ensuring that any data collected is of a less sensitive nature (i.e., try not to collect sensitive data)<br />
# Ensuring that any data collected is de-identified or anonymized<br />
# Ensuring any data collected is properly protected with encryption<br />
# Ensuring the device and all of its components properly protect personal information<br />
# Ensuring only authorized individuals have access to collected personal information<br />
# Ensuring that retention limits are set for collected data<br />
# Ensuring that end-users are provided with "Notice and Choice" if data collected is more than what would be expected from the product<br />
# Ensuring the role based access control/authorization to the collected data/analyzed data is applied<br />
# Ensuring that the analyzed data is de-identified<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' Collection of personal data.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Date of birth, home address, phone number, etc.<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Collection of financial and/or health information.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Credit card data and bank account information.<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, exposure of any of the data examples could lead to identity theft or compromise of accounts.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
[https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure Top 10 2013-A6-Sensitive Data Exposure]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}} <br><br />
[https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things FTC: Careful Connections: Building Security in the Internet of Things]<br />
[https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf FTC: Internet of Things, Privacy & Security in a Connected World]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=208170OWASP Internet of Things Project2016-02-05T06:09:16Z<p>Yunsoul: /* Top 10 IoT Vulnerabilities (2014) Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/tag/podcasts/ IoT Inc]<br />
* [https://soundcloud.com/craig-smith-381 IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I4_Lack_of_Transport_Encryption&diff=208169Top 10 2014-I4 Lack of Transport Encryption2016-02-05T06:08:44Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the network the device is connected to, including external and internal users.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses the lack of transport encryption to view data being passed over the network. Attack could come from external or internal users.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Lack of transport encryption allows data to be viewed as it travels over local networks or the internet. Lack of transport encryption is prevalent on local networks as it is easy to assume that local network traffic will not be widely visible, however in the case of a local wireless network, misconfiguration of that wireless network can make traffic visible to anyone within range of that wireless network. Many Issues with transport encryption are easy to discover simply by viewing network traffic and searching for readable data. Automated tools can also look for proper implementation of common transport encryption such as SSL and TLS.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Lack of transport encryption can result in data loss and depending on the data exposed, could lead to complete compromise of the device or user accounts.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of exposed data as it travels across various networks. Data could be stolen or modified. Could your users be harmed by having their data exposed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Do I Use Transport Encryption?|position=firstLeft|year=2013|language=en}}<br />
Checking for Lack of Transport Encryption includes:<br />
* Reviewing network traffic of the device, its mobile application and any cloud connections to determine if any information is passed in clear text<br />
* Reviewing the use of SSL or TLS to ensure it is up to date and properly implemented<br />
* Reviewing the use of any encryption protocols to ensure they are recommended and accepted<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Use Transport Encryption?|position=right|year=2013|language=en}}<br />
Sufficient transport encryption requires:<br />
# Ensuring data is encrypted using protocols such as SSL and TLS while transiting networks.<br />
# Ensuring other industry standard encryption techniques are utilized to protect data during transport if SSL or TLS are not available.<br />
# Ensuring only accepted encryption standards are used and avoid using proprietary encryption protocols<br />
# Ensuring the message payload encryption<br />
# Ensuring the secure encryption key handshaking<br />
# Ensuring received data integrity verification<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' The cloud interface uses only HTTP.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
<nowiki>http://www.xyzcloudsite.com</nowiki><br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Username and password are transmitted in the clear over the network.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
<nowiki>http://www.xyzcloud.com/login.php?userid=3&password=1234</nowiki><br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker has the ability to view sensitive data in the clear due to lack of transport encryption.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
[https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure Top 10 2013-A6-Sensitive Data Exposure]<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I3_Insecure_Network_Services&diff=208168Top 10 2014-I3 Insecure Network Services2016-02-05T05:56:38Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=3|detectability=2|impact=2|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device via a network connection, including external and internal users.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses vulnerable network services to attack the device itself or bounce attacks off the device. Attack could come from external or internal users.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insecure network services may be susceptible to buffer overflow attacks or attacks that create a denial of service condition leaving the device inaccessible to the user. Denial of service attacks against other users may also be facilitated when insecure network services are available. Insecure network services can often be detected by automated tools such as port scanners and fuzzers.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insecure network services can result in data loss or corruption, denial of service or facilitation of attacks on other devices.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of devices which have been rendered useless from a denial of service attack or the device is used to facilitate attacks against other devices and networks. Could your customers or other users be harmed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Are My Network Services Secure?|position=firstLeft|year=2013|language=en}}<br />
Checking for Insecure Network Services includes:<br />
* Determining if insecure network services exist by reviewing your device for open ports using a port scanner<br />
* As open ports are identified, each can be tested using any number of automated tools that look for DoS vulnerabilities, vulnerabilities related to UDP services and vulnerabilities related to buffer overflow and fuzzing attacks<br />
* Reviewing network ports to ensure they are absolutely necessary and if there are any ports being exposed to the internet using UPnP.<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Secure My Network Services?|position=right|year=2013|language=en}}<br />
Securing network services requires:<br />
# Ensuring only necessary ports are exposed and available.<br />
# Ensuring services are not vulnerable to buffer overflow and fuzzing attacks.<br />
# Ensuring services are not vulnerable to DoS attacks which can affect the device itself or other devices and/or users on the local network or other networks.<br />
# Ensuring network ports or services are not exposed to the internet via UPnP for example<br />
# The abnormal service request traffic should be detected and blocked on service gateway layer<br />
<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' Fuzzing attack causes network service and device to crash.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
GET %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s HTTP/1.0<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Ports open to the internet possibly without the user's knowledge via UPnP.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Port 80 and 443 exposed to the internet via a home router.<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker is able to disable the device completely with an HTTP GET or access the device via the internet over port 80 and/or port 443.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I2_Insufficient_Authentication/Authorization&diff=208167Top 10 2014-I2 Insufficient Authentication/Authorization2016-02-05T05:48:04Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the web interface, mobile interface or cloud interface including internal and external users.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses weak passwords, insecure password recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface. Attack could come from external or internal users.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Authentication may not be sufficient when weak passwords are used or are poorly protected. Insufficient authentication/authorization is prevalent as it is assumed that interfaces will only be exposed to users on internal networks and not to external users on other networks. Deficiencies are often found to be present across all interfaces. Many Issues with authentication/authorization are easy to discover when examining the interface manually and can also be discovered via automated testing.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insufficient authentication/authorization can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete compromise of the device and/or user accounts.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of compromised user accounts and possibly devices. All data could be stolen, modified, or deleted. Could your customers be harmed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Is My Authentication/Authorization Sufficient?|position=firstLeft|year=2013|language=en}}<br />
<br />
Checking for Insufficient Authentication includes:<br />
* Attempting to use simple passwords such as "1234" is a fast and easy way to determine if the password policy is sufficient across all interfaces<br />
* Reviewing network traffic to determine if credentials are being transmitted in clear text<br />
* Reviewing requirements around password controls such as password complexity, password history check, password expiration and forced password reset for new users<br />
* Reviewing whether re-authentication is required for sensitive features<br />
<br />
Checking for Insufficient Authorization includes:<br />
* Reviewing the various interfaces to determine whether the interfaces allow for separation of roles. For example, all features will be accessible to administrators, but users will have a more limited set of features available.<br />
* Reviewing access controls and testing for privilege escalation<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Make My Authentication/Authorization Better?|position=right|year=2013|language=en}}<br />
Sufficient authentication/authorization requires:<br />
# Ensuring that the strong passwords are required<br />
# Ensuring granular access control is in place when necessary<br />
# Ensuring credentials are properly protected<br />
# Implement two factor authentication where possible<br />
# Ensuring that password recovery mechanisms are secure<br />
# Ensuring re-authentication is required for sensitive features<br />
# Ensuring options are available for configuring password controls<br />
# Ensuring credential can be revoked<br />
# The app authentication is required<br />
# The device authentication is required<br />
# Manage authenicated user id(credential info.) and the user's device id, the user's app id mapping table in the authentication server<br />
# Ensuring that the authentication token/session key issuing to client is always different<br />
# Ensuring that the user id, app id, device id is universally unique<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' The interface only requires simple passwords.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Username = Bob; Password = 1234<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Username and password are poorly protected when transmitted over the network.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Authorization: Basic YWRtaW46MTIzNA==<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
[https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management Top 10 2013-A2-Broken Authentication and Session Management]<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=Top_10_2014-I2_Insufficient_Authentication/Authorization&diff=208166Top 10 2014-I2 Insufficient Authentication/Authorization2016-02-05T05:47:40Z<p>Yunsoul: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center><br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}<br />
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the web interface, mobile interface or cloud interface including internal and external users.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses weak passwords, insecure password recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface. Attack could come from external or internal users.<br />
<br />
</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Authentication may not be sufficient when weak passwords are used or are poorly protected. Insufficient authentication/authorization is prevalent as it is assumed that interfaces will only be exposed to users on internal networks and not to external users on other networks. Deficiencies are often found to be present across all interfaces. Many Issues with authentication/authorization are easy to discover when examining the interface manually and can also be discovered via automated testing.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insufficient authentication/authorization can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete compromise of the device and/or user accounts.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of compromised user accounts and possibly devices. All data could be stolen, modified, or deleted. Could your customers be harmed?<br />
<br />
</td><br />
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Is My Authentication/Authorization Sufficient?|position=firstLeft|year=2013|language=en}}<br />
<br />
Checking for Insufficient Authentication includes:<br />
* Attempting to use simple passwords such as "1234" is a fast and easy way to determine if the password policy is sufficient across all interfaces<br />
* Reviewing network traffic to determine if credentials are being transmitted in clear text<br />
* Reviewing requirements around password controls such as password complexity, password history check, password expiration and forced password reset for new users<br />
* Reviewing whether re-authentication is required for sensitive features<br />
<br />
Checking for Insufficient Authorization includes:<br />
* Reviewing the various interfaces to determine whether the interfaces allow for separation of roles. For example, all features will be accessible to administrators, but users will have a more limited set of features available.<br />
* Reviewing access controls and testing for privilege escalation<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Make My Authentication/Authorization Better?|position=right|year=2013|language=en}}<br />
Sufficient authentication/authorization requires:<br />
# Ensuring that the strong passwords are required<br />
# Ensuring granular access control is in place when necessary<br />
# Ensuring credentials are properly protected<br />
# Implement two factor authentication where possible<br />
# Ensuring that password recovery mechanisms are secure<br />
# Ensuring re-authentication is required for sensitive features<br />
# Ensuring options are available for configuring password controls<br />
# Ensuring credential can be revoked<br />
# The app authentication is required<br />
# The device authentication is required<br />
# Manage authenicated user id(creadential info.) and the user's device id, the user's app id mapping table in the authentication server<br />
# Ensuring that the authentication token/session key issuing to client is always different<br />
# Ensuring that the user id, app id, device id is universally unique<br />
<br />
Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}<br />
'''Scenario #1:''' The interface only requires simple passwords.<br />
<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Username = Bob; Password = 1234<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
'''Scenario #2:''' Username and password are poorly protected when transmitted over the network.<br />
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><br />
Authorization: Basic YWRtaW46MTIzNA==<br />
<br />
</span>{{Top_10_2010:ExampleEndTemplate}}<br />
In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.<br />
<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
[https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management Top 10 2013-A2-Broken Authentication and Session Management]<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=208099OWASP Internet of Things Project2016-02-04T09:31:16Z<p>Yunsoul: /* IoT Attack Surface Areas Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/tag/podcasts/ IoT Inc]<br />
* [https://soundcloud.com/craig-smith-381 IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoulhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=208097OWASP Internet of Things Project2016-02-04T08:17:03Z<p>Yunsoul: /* IoT Attack Surface Areas Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
[[File:iot-project.png|400px|thumb|center]]<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides:<br />
<br />
* IoT Attack Surface Areas<br />
* IoT Testing Guides<br />
* Top 10 IoT Vulnerabilities<br />
* IoT Security Guidance<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* Developer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Major Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [[OWASP_.NET_Project|OWASP .NET]]<br />
* [[Java|OWASP Java and JVM]]<br />
* [[C/C++|OWASP C/C++]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* Daniel Miessler gave his IoT talk at DEFCON 23<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. <br />
* IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem Access Control'''<br />
|<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Cleartext usernames<br />
* Cleartext passwords<br />
* Third-party credentials<br />
* Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Encryption (Symmetric, Asymmetric)<br />
* Firmware version display and/or last update date<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* SQL injection<br />
* Cross-site scripting<br />
* Cross-site Request Forgery<br />
* Username enumeration<br />
* Weak passwords<br />
* Account lockout<br />
* Known default credentials<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, Zigbee, Bluetooth)<br />
* Protocol fuzzing<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides:<br />
<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top IoT Vulnerabilities]<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Top 10 IoT Vulnerabilities (2014) =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Top 10 IoT Vulnerabilities (2014) Project ==<br />
<br />
The OWASP Top 10 IoT Vulnerabilties are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank<br />
! Title<br />
|- <br />
| '''I1'''<br />
|<br />
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]<br />
|- <br />
| '''I2'''<br />
|<br />
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]<br />
|- <br />
| '''I3'''<br />
|<br />
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]<br />
|-<br />
| '''I4'''<br />
|<br />
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption]]<br />
|- <br />
| '''I5'''<br />
|<br />
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]<br />
|- <br />
| '''I6'''<br />
|<br />
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]<br />
|- <br />
| '''I7'''<br />
|<br />
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]<br />
|- <br />
| '''I8'''<br />
|<br />
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]<br />
|- <br />
| '''I9'''<br />
|<br />
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]<br />
|- <br />
| '''I10'''<br />
|<br />
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Top 10 IoT Vulnerabiltiies Project? ==<br />
<br />
The Top 10 IoT Vulnerabilities Project provides:<br />
<br />
* A list of the top 10 internet of things vulnerabilities<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilties<br />
|<br />
* Hardcoded credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption keys<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|- <br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| border="1" class="wikitable" style="text-align: left"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
== ==<br />
{{Social Media Links}}<br />
<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Email List ==<br />
[mailto:owasp_internet_of_things_project-request@lists.owasp.org Mailing List]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
== ==<br />
[http://builditsecure.ly BuildItSecure.ly]<br />
<br />
A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.<br />
<br />
Their goals include:<br />
* Focus effort towards small business<br />
* Build partnerships<br />
* Coordinate efforts<br />
* Curate informational resources<br />
* Present research<br />
== ==<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
== ==<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
== ==<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
== ==<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/tag/podcasts/ IoT Inc]<br />
* [https://soundcloud.com/craig-smith-381 IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
| links_url1 = <br />
| links_name1 = <br />
}} <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Yunsoul