OWASP Embedded Application Security

OWASP Embedded Application Security Project

Each year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is crucial that guidelines form OWASP on embedded software should be created. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world.

Licensing

The OWASP Embedded Application Security Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is the OWASP Embedded Application Security Project?

The OWASP Embedded Application Security Project provides:

• Items here

Project Leaders

• Aaron Guzman

Related Projects

• OWASP Project Repository
• OWASP Mobile Security
• OWASP Web Top 10
• OWASP .NET
• OWASP Java and JVM
• OWASP C/C++

Classifications

Embedded Testing Tools Provide security testing guidance for Embedded Devices: Section Device Firmware Vulnerabilties Hardcoded credentials Sensitive information disclosure Sensitive URL disclosure Encryption keys Backdoor accounts Vulnerable services (web, ssh, tftp, etc.) Device Firmware Guidance and Instruction Firmware file analysis Firmware extraction Dynamic binary analysis Static binary analysis Static code analysis Firmware emulation File system analysis Device Firmware Tools Firmwalker Firmware Modification Kit Angr binary analysis framework Binwalk firmware analysis tool Binary Analysis Tool What is the Firmware Analysis Project? The Firmware Analysis Project provides: Security testing guidance for vulnerabilities in the "Device Firmware" attack surface Steps for extracting file systems from various firmware files Guidance on searching a file systems for sensitive of interesting data Information on static analysis of firmware contents Information on dynamic analysis of emulated services (e.g. web admin interface) Testing tool links A site for pulling together existing information on firmware analysis Related Projects OWASP Mobile Security OWASP Web Top 10 Email List Mailing List Resources IoT Firmware Analysis Pre-compiled QEMU images Firmware Modification Kit Short Firmware Extraction Video Firmware Emulation with QEMU Related Projects OWASP Mobile Security OWASP Web Top 10 Email List Mailing List Project Leaders Related Projects OWASP Mobile Security OWASP Web Top 10 Email List Mailing List PROJECT INFO What does this OWASP project offer you? RELEASE(S) INFO What releases are available for this project? what is this project? Name: OWASP Embedded Application Security Purpose: N/A License: N/A who is working on this project? Project Leader(s): Aaron Guzman @ how can you learn more? Project Pamphlet: Not Yet Created Project Presentation: Mailing list: N/A Project Roadmap: Not Yet Created Key Contacts Contact Aaron Guzman @ to contribute to this project Contact Aaron Guzman @ to review or sponsor this project current release Not Yet Published last reviewed release Not Yet Reviewed other releases