Embedded AppSec Best Practices
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
assets
executive_summary
README.md
SUMMARY.md
about-owasp.md
acknowledgments.md
contributors.md
preface-and-acknowledgments.md
preface.md
project-roadmap.md

README.md

Embedded Application Security Best Practices

OWASP Embedded Application Security Project Wiki Page

Welcome

Thank you for your interest in the OWASP Embedded Application Security Project. This is the development version of the OWASP Embedded Application Security Best Practices Guide, and will be converted into PDF & MediaWiki for publishing when complete.

This document was put together by the collaborative efforts of developers, engineers, and hobbyists with the sole purpose of assisting manufacturers produce embedded devices with security in mind. A special "thank you" is due to all those who have contributed (see below) as well as those who continue to see this project evolve. It is our goal that this document will provide a detailed technical pathway for manufacturers to build secure devices for an increasingly insecure world. This is considered a "living" document as it is open to feedback and further collaboration, please contact the project leaders with any feedback you may have.

Made possible by contributions from:

  • Jim Manico
  • Benjamin Samuels
  • Janet Kulp

GitBook integration

For a pleasant reading experience, use GitBook to turn this document into a PDF, e-book, website, etc.

Contributing

You do not have to be a security expert in order to contribute!

Some of the ways you can help:

  • Technical editing
  • Review
  • Diagrams
  • Graphic design
  • Code snippets in your favorite language
  • Translate guidance material

Feel free to sign up for a task out of our roadmap below or add your own idea to the roadmap. To get started, create a GitBook account or sign in with your Github credentials to add comments and make edits. All changes are tracked and synced to https://github.com/scriptingxss/embeddedappsec. Alternatively, clone the Github repo, use your favorite markdown editor, apply/make your edits, and submit a pull request. Feel free to contact the project leaders for ways to get involved.

2018 Roadmap

Introductory Embedded Section

  • Expand on what embedded firmware is (8,16,32 bit, minimal hardware resources, list embedded use cases and industries)
  • Describe types of architectures (MIPS, ARM, PowerPC, x86 etc.)
  • Describe types of firmware and operating systems
  • Layout of firmware for embedded linux, RTOS, and Embedded Window

Expand on embedded best practices

  • Secure boot recommendations
    • U-boot
  • Create examples of software bill of materials (BOM)
  • Additional example programming language command injection system calls or APIs
  • Break out subsections for each of the platforms with contextual guidance and configurations
  • Expand on hardening for:
    • Embedded Linux
    • RTOS (QNX/MQX)
  • Best practices/considerations for PKI in embedded systems

Create example embedded application security requirements for new products

  • Integrate with ASVS or create an EASVS (Embedded Application Security Verification Standard)
  • Integrate with the IoT project

Join the mailing list, slack channel and contact the Project leaders if you feel you can contribute.

Project Leaders {#project-leaders}

Aaron Guzman @scriptingxss

Alex Lafrenz @zerofrenz