[Owasp-community] Fwd: Reliable Patching as Top IoT Security Concern

Michael Coates michael.coates at owasp.org
Mon Aug 25 02:11:05 UTC 2014


OWASP Community,

I realized the Internet of Things mailing list has only a few subscribers,
so I'm forwarding this on to a wider list to get some discussion started.

What is your opinion on the need to specifically call out "Reliable and
Effective Update Model" for Internet of Things?

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014



--
Michael Coates
Chairman, OWASP Board
@_mwc



---------- Forwarded message ----------
From: Michael Coates <michael.coates at owasp.org>
Date: Fri, Aug 22, 2014 at 6:34 PM
Subject: Reliable Patching as Top IoT Security Concern
To: Daniel Miessler <daniel at danielmiessler.com>,
owasp_internet_of_things_top_ten_project at lists.owasp.org, Jason Haddix <
Jason.Haddix at owasp.org>


Team,

When looking at the Internet of Things and security vulnerabilities I'm
certainly happy that we've build a top 10 list. One thing that has come to
mind often is a more fundamental vulnerability - the ability to reliably
and effectively patch/update devices in the field.

If there is one item I would want in all IoT it is the ability to patch.
Imagine critical security vuln X is found in a device. If the only way to
mitigate that is for a customer to (1) buy a new device or (2) download and
manually patch firmware then we're looking at a <1% update rate. The
reality is that the vulnerability will be unresolved until the hardware
fails and forces people to "upgrade" via a new purchase.

So, while I completely agree with all guidance to build securely and avoid
security vulns in the first place, we have to admit that problems will
happen. When they do will a vendor be able to actually deploy that patch or
will it just be "available" and not actually address the issue in mass?

For comparison look at iOS vs Android. Both patch, but one ecosystem gets
the patches delivered and one doesn't. The results of those systems is
quite clear.

I'm interested in everyone's thoughts and whether this has already been
considered for the IoT Top 10.


Thanks!

--
Michael Coates
Chairman, OWASP Board
@_mwc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-community/attachments/20140824/f66bec08/attachment.html>


More information about the Owasp-community mailing list