[OWASP IoT Project] Some unjumbled thoughts based on discussions at AppSec EU

Daniel Miessler daniel.miessler at owasp.org
Sat May 23 00:12:21 UTC 2015


> On May 22, 2015, at 12:12 PM, Steve Lord <stlord at gmail.com> wrote:
> 
> Hi Daniel,
> 
> So after my talk, I sat down with Josh Corman from I am the Cavalry, and a chap called Felix from FSF Europe. There were a few ideas batted around, and I was wondering what your thoughts are on them. I totally get that this is out of the blue and a bit left field, so feel free to take your time and have a proper think, and let me know. Ultimately I’ll support whatever you think is right. I don’t have a lot of free time to spare, but I’ll try to help where I can.

Sounds great, man. Thanks for taking the time.

> 1. Perceptions of an OWASP Top 10.
> 
> One area of agreement was that the OWASP Top 10 (the big one) is one of OWASP’s most successful projects. However, because of it’s success, it’s viewed as a panacea and a standard rather than as a starting point for discussion. The IoT industry, insurers and regulators are looking for standards in this space, and there’s a strong chance that OWASP could be a strong influencer in this area. However, it would be a terrible shame to not learn from the mistakes of the Top 10, especially when there’s already other work in this space (specifically I am the Cavalry’s 5 star programme).

I agree that the OWASP structure has some limitations, including the history of its most famous projects, but I don’t think it’s a reason to abandon it as a platform for raising awareness. I think we just need to be thoughtful about our approach.

As I’ll talk about below, I think we’re taking a much different track than most OWASP projects by giving prescriptive guidance, displayed prominently via tabs, for various groups to benefit from.

The #1 thing that we on this project see out there is a desire for prescriptive advice. They want to know the few things that they should definitely be doing, and the few things that they should definitely be avoiding.

I think that’s a spectacular use case for an OWASP project, and that’s precisely what we’re set out to deliver.

> 2. Structure of an OWASP IoT project.
> 
> In my discussions, there was broad agreement that OWASP is at it’s best influencing and supporting other projects.

I’d say that differently I think. I’d say that each project should have a focus, and that each should pivot out to other projects where necessary, but if it’s just supporting other projects then it shouldn’t exist at all. At that point it’s just a distraction.

> A Top 10 is fine, but is a single document that could be a component of a larger, broader role in IoT for OWASP. What would your views be on engaging people like Builditsecure.ly, I am the Cavalry and some vendors to assist in a broader IoT project?

Great question. I’ve already had meetings with Mark and Zach of Builditsecure.ly <http://builditsecure.ly/>, and have had a couple conversations with Josh as well about this, for the exact purpose of cross-project cooperation.

My goal there was (and continues to be) to find out what each project is good at, and play to those strengths. I even did a post about it here: https://danielmiessler.com/blog/iot-community-project/ <https://danielmiessler.com/blog/iot-community-project/> 



In short, the OWASP project is about quick prescriptive guidance for groups in various contexts, e.g., manufacturers, testers, developers, and consumers. BuildItSecure.ly <http://builditsecure.ly/> is about connecting researchers to SMBs to help get their products tested, and I Am The Cavalry is focused on securing IoT as it relates to public safety.

I think that’s a pretty clean distinction, and I happily and frequently refer people to Mark/Zach/Josh’s projects all the time.

> Furthermore, how would you feel about OWASP’s primary role in IoT being more of a point of presence for assisting vendors, developers and manufacturers in finding known good IoT info rather than relying on solely producing it ourselves?

I thought about that initially, but I don’t think there’s as much force behind a project that’s a collection of links to go elsewhere as there is for one resource for prescriptive help. And from there they can go and read deeper in various other places.

Here’s how we have it broken down in the top tabs:



The tabs for each role/context are what we think is helpful, and we’ve heard the same from users. Then in each section we have the following:



It’s not comprehensive. It’s not the end of the story. But it’s a damn good start for addressing the biggest problems. And again, we can link out to other projects where appropriate.

One thing I’ll mention here is that I’m not a fan of the “Top 10” part of this project. I’m good with mapping the top attack surface areas, which is really what I’m focusing on, but I dislike the “Top 10” legacy that we’re forced into. I’d like to drop it from the name actually, but I’m concerned about the fallout given how familiar it is to people.

> 3. Modifications to the OWASP IoT Top 10
> 
> How set in stone are you on the current line-up? How up for debate on the structure are you?

Not at all set in stone. Really looking for feedback and modifications. I’m stoked about getting this feedback from you, and look forward to working with you to improve the project.

Best,



Daniel Miessler
OWASP IoT Project Leader
Daniel.Miessler at owasp.org <mailto:Daniel.Miessler at owasp.org> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_internet_of_things_top_ten_project/attachments/20150522/4ef3af20/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-05-22 at 4.42.29 PM.png
Type: image/png
Size: 177074 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp_internet_of_things_top_ten_project/attachments/20150522/4ef3af20/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-05-22 at 4.48.43 PM.png
Type: image/png
Size: 46476 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp_internet_of_things_top_ten_project/attachments/20150522/4ef3af20/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-05-22 at 4.49.44 PM.png
Type: image/png
Size: 187031 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp_internet_of_things_top_ten_project/attachments/20150522/4ef3af20/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DanielSignature.png
Type: image/png
Size: 3798 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp_internet_of_things_top_ten_project/attachments/20150522/4ef3af20/attachment-0007.png>


More information about the Owasp_internet_of_things_top_ten_project mailing list