[OWASP IoT Project] Some unjumbled thoughts based on discussions at AppSec EU

Steve Lord stlord at gmail.com
Fri May 22 19:12:09 UTC 2015


Hi Daniel,

So after my talk, I sat down with Josh Corman from I am the Cavalry, and a chap called Felix from FSF Europe. There were a few ideas batted around, and I was wondering what your thoughts are on them. I totally get that this is out of the blue and a bit left field, so feel free to take your time and have a proper think, and let me know. Ultimately I’ll support whatever you think is right. I don’t have a lot of free time to spare, but I’ll try to help where I can.

1. Perceptions of an OWASP Top 10.

One area of agreement was that the OWASP Top 10 (the big one) is one of OWASP’s most successful projects. However, because of it’s success, it’s viewed as a panacea and a standard rather than as a starting point for discussion. The IoT industry, insurers and regulators are looking for standards in this space, and there’s a strong chance that OWASP could be a strong influencer in this area. However, it would be a terrible shame to not learn from the mistakes of the Top 10, especially when there’s already other work in this space (specifically I am the Cavalry’s 5 star programme).

2. Structure of an OWASP IoT project.

In my discussions, there was broad agreement that OWASP is at it’s best influencing and supporting other projects. A Top 10 is fine, but is a single document that could be a component of a larger, broader role in IoT for OWASP. What would your views be on engaging people like Builditsecure.ly, I am the Cavalry and some vendors to assist in a broader IoT project?

Furthermore, how would you feel about OWASP’s primary role in IoT being more of a point of presence for assisting vendors, developers and manufacturers in finding known good IoT info rather than relying on solely producing it ourselves? In this scenario we could still have a top 10 doc or any number of other sub-projects but we’d be able to avoid the issue of life getting in the way of updates. It would also allow us to bring in broader partnerships with other organisations working in this space.

3. Modifications to the OWASP IoT Top 10

How set in stone are you on the current line-up? How up for debate on the structure are you?

Hope this is useful,

Steve


More information about the Owasp_internet_of_things_top_ten_project mailing list