This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Updating and Patching The Internet of Things"
From OWASP
(→Major Topics) |
(→Methodology to Determine Cat 1 vs Cat 2) |
||
Line 20: | Line 20: | ||
=== Methodology to Determine Cat 1 vs Cat 2 === | === Methodology to Determine Cat 1 vs Cat 2 === | ||
Prescriptive process to determine if an IoT is cat 1 or cat 2 | Prescriptive process to determine if an IoT is cat 1 or cat 2 | ||
+ | * Ideas for consideration to determine cat 1 | ||
+ | ** A malfunction to the device results in immediate impact to safety/wellbeing of individuals | ||
+ | |||
+ | ToDo: Review other risk frameworks and determine applicability | ||
== Expectations for Updates == | == Expectations for Updates == |
Revision as of 18:24, 26 August 2014
Note: This page is a work in progress to capture major ideas on the topic. It will be formalized as the community provides more information and review.
Background
Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching
- Mailing List Archive - Thread starts at "Fwd: Reliable Patching as Top IoT Security Concern"
- Venture Beat Article by Michael Coates The Internet of Things will be vulnerable for years, and no one is incentivized to fix it
- OWASP Internet of Things Top 10 & #9 Insecure Software/Firmware
Major Topics
Seamless & Reliable Update vs Secure Update
Explain the difference in the intent of the topics
Different Categories of IoT Devices
Life impacting vs internet as a feature
- Category 1 - Medical & other life impacting systems, cars, what else?
- Category 2 - Non-life systems - Ovens, refrigerators, pedometers, thermostats
Methodology to Determine Cat 1 vs Cat 2
Prescriptive process to determine if an IoT is cat 1 or cat 2
- Ideas for consideration to determine cat 1
- A malfunction to the device results in immediate impact to safety/wellbeing of individuals
ToDo: Review other risk frameworks and determine applicability
Expectations for Updates
Cat 1
Delivered under supervision
Cat 2
- Delivered remotely
- Point of consideration - whether to allow users to delay update for X # of hours, force reboot, etc