2019-002-part 2 of the OWASP IoT Top 10 with Aaron Guzman
Published January 22, 2019
|
46 min
    Download
    Add to queue
    Copy URL
    Show notes

    intro

    CFP for Bsides Barcelona is open! https://bsides.barcelona

    Aaron Guzman: @scriptingxss

    https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

    https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

    https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

    OWASP SLACK: https://owasp.slack.com/

    https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

    Team of 10 or so… list of “do’s and don’ts”

    Sub-projects? Embedded systems, car hacking

    Embedded applications best practices? *potential show*

    Standards: https://xkcd.com/927/

    CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

    California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

    How did you decide on the initial criteria?

    1. Weak, Guessable, or Hardcoded passwords
    2. Insecure Network Services
    3. Insecure Ecosystem interfaces
    4. Lack of Secure Update mechanism
    5. Use of insecure or outdated components
    6. Insufficient Privacy Mechanisms
    7. Insecure data transfer and storage
    8. Lack of device management
    9. Insecure default settings
    10. Lack of physical hardening

    2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

    2014 list:

    BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

    OWASP SLACK: https://owasp.slack.com/

    What didn’t make the list? How do we get Devs onboard with these?

    How does someone interested get involved with OWASP Iot working group?

    https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

    https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

    https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

    https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

    https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

     

    https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

     

    https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

     

    Check out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast

    #Spotifyhttps://brakesec.com/spotifyBDS

    #RSShttps://brakesec.com/BrakesecRSS

    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec

    #SoundCloudhttps://brakesec.com/SoundcloudBrakesec

    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

    https://brakesec.com/BDSPatreon

    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

     

      15
      15
        0:00:00 / 0:00:00