[Owasp_embedded_application_security] Discussion

Aaron Guzman aaron.guzman at owasp.org
Tue Mar 17 22:17:23 UTC 2015


Hi Everyone, 


Thanks to all who have joined within the last week. I have created a google group to collaborate better. 

https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec <https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec>


Below is a discussion I have started on the google group. If anyone is interested in making additions, please fill free to reply on the google group thread.


We want to start creating a list of best practices and top risks for embedded technology. Whether we want to keep it at a list of 10 or more, I think it is important that we collaborate and put our embedded experiences together for a reference. It is

I will start with my list of best practices 


1. Cryptographic Signing of firmware required for firmware updating functions
2.Verify SSL/TLS Certificates (SSL Pinning) during secure functions to embedded devices. I.E. Firmware updates
3.Modify Busybox to only libraries and functions that are being used. (e.g. take out telnet, perl etc)
4.Prevent the use of static passwords such as admin/admin or similar variants for service passwords inside the firmware
5.Private Keys and passwords should not be stored on the embedded device.
6.Protection against memory-corruption vulnerabilities inside firmware functions. (do not use dangerous C functions)
7.Update kernel and packages on embedded images to prevent known vulnerabilities

Maybe one about testing embedded images for ODM backdoors? up for discussion


Feel free to make additions and discussions around embedded security. I would love to have a call in the coming weeks to flesh out and make a best practice list mature.


thanks again!

--
Aaron G
OWASP-LA Board Member
Twitter: @scriptingxss
Linkedin: http://lnkd.in/bds3MgN <http://lnkd.in/bds3MgN>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_embedded_application_security/attachments/20150317/233938fc/attachment.html>


More information about the Owasp_embedded_application_security mailing list