This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Embedded Application Security"
Aaron.guzman (talk | contribs) (→E7 – Debug Code and Interfaces) |
Aaron.guzman (talk | contribs) (→Table of Contents) |
||
| Line 66: | Line 66: | ||
==Top 10== | ==Top 10== | ||
=== E1 – Memory Protections === | === E1 – Memory Protections === | ||
| − | === E2 – Injection === | + | === E2 – Injection Prevention === |
=== E3 – Firmware Updates and Cryptographic Signatures === | === E3 – Firmware Updates and Cryptographic Signatures === | ||
| − | === E4 – Secrets and Keys === | + | === E4 – Usage of Secrets and Keys === |
| − | === E5 – | + | === E5 – Identity Management === |
=== E6 – Embedded Framework Hardening === | === E6 – Embedded Framework Hardening === | ||
=== E7 – Usage of Debug Code and Interfaces === | === E7 – Usage of Debug Code and Interfaces === | ||
=== E8 – Transport Layer Security === | === E8 – Transport Layer Security === | ||
| − | === E9 – Data collection and Storage === | + | === E9 – Data collection Usage and Storage - Privacy === |
| − | === E10 – | + | === E10 – Third Party Code and Components === |
== Note on Hardware == | == Note on Hardware == | ||
== Get Involved == | == Get Involved == | ||
Revision as of 04:18, 4 January 2017
OWASP Embedded Application Security ProjectEach year, embedded software within enterprise and consumer devices continue to be on the rise. Given the publicity with IoT and more devices becoming network connected, it is essential to create secure coding guidelines for embedded software. Embedded Application Security is often not thought of as a high priority for embedded devices such as Routers, Managed Switches, Medical Devices, IoT devices, and ATM Kiosks by device manufactures. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goal of this project is to create a list of best practices, provide practical guidance to embedded developers, and to draw on the resources that OWASP already has to bring application security expertise to the embedded world.
|
Mailing ListProject LeadersRelated Projects |
News and Events
In PrintWe will be releasing a user guide soon! Classifications
| |||||||
The Working Document can be found here (Google Docs) https://docs.google.com/document/d/1NxpVCeiglY1wHhmw7U-e9jnHgd-jQI-Y6sbdeKzUpQE/edit?usp=sharing
Draft-The items below are subject to change
Introduction
Release Notes
Risk Involved
Top 10
E1 – Memory Protections
E2 – Injection Prevention
E3 – Firmware Updates and Cryptographic Signatures
E4 – Usage of Secrets and Keys
E5 – Identity Management
E6 – Embedded Framework Hardening
E7 – Usage of Debug Code and Interfaces
E8 – Transport Layer Security
E9 – Data collection Usage and Storage - Privacy
E10 – Third Party Code and Components
Note on Hardware
Get Involved
- Angr - [1]
- Firmadyne [2]
- Firmwalker [3]
- Binary Analysis [4]
- Flaw Finder [5]
- IDA Pro (supports ARM / MIPS)
- Radare2 [6]
- GDB
- Binwalk [7]
- Firmware-mod-toolkit [8]
- Capstone framework [9]
- Shikra [10]
- JTagulator [11]
- UART cables
- JTAG Adapters (JLINK)
- BusPirate
- BusBlaster
- CPLDs (in lieu of FPGAs)
- Oscilloscopes
- Multimeter (Ammeter, Voltmeter, etc)
- Logic Analyzers for SPI [12]
- OpenOCD
- GreatFET [13]
2016-2017 Roadmap
- Curate a list of embedded secure coding best practices.
- Create a Top 10 Embedded Application Security list.
- Participate in PR-related activities to involve the embedded community at large.
- Contribute to ASVS with embedded security principles
Feel free to join the mailing list and contact the Project leader if you feel you can contribute.
