2019-002-part 2 of the OWASP IoT Top 10 with Aaron Guzman
Explicit content warning
01/22/19 • 46 min
intro
CFP for Bsides Barcelona is open! https://bsides.barcelona
Aaron Guzman: @scriptingxss
https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP SLACK: https://owasp.slack.com/
https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg
Team of 10 or so... list of “do’s and don’ts”
Sub-projects? Embedded systems, car hacking
Embedded applications best practices? *potential show*
Standards: https://xkcd.com/927/
CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
How did you decide on the initial criteria?
- Weak, Guessable, or Hardcoded passwords
- Insecure Network Services
- Insecure Ecosystem interfaces
- Lack of Secure Update mechanism
- Use of insecure or outdated components
- Insufficient Privacy Mechanisms
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
2014 list:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3
OWASP SLACK: https://owasp.slack.com/
What didn’t make the list? How do we get Devs onboard with these?
How does someone interested get involved with OWASP Iot working group?
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf
intro
CFP for Bsides Barcelona is open! https://bsides.barcelona
Aaron Guzman: @scriptingxss
https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP SLACK: https://owasp.slack.com/
https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg
Team of 10 or so... list of “do’s and don’ts”
Sub-projects? Embedded systems, car hacking
Embedded applications best practices? *potential show*
Standards: https://xkcd.com/927/
CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
How did you decide on the initial criteria?
- Weak, Guessable, or Hardcoded passwords
- Insecure Network Services
- Insecure Ecosystem interfaces
- Lack of Secure Update mechanism
- Use of insecure or outdated components
- Insufficient Privacy Mechanisms
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
2014 list:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3
OWASP SLACK: https://owasp.slack.com/
What didn’t make the list? How do we get Devs onboard with these?
How does someone interested get involved with OWASP Iot working group?
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf
Previous Episode
2019-001: OWASP IoT Top 10 discussion with Aaron Guzman
Aaron Guzman: @scriptingxss
https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP SLACK: https://owasp.slack.com/
https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg
Team of 10 or so... list of “do’s and don’ts”
Sub-projects? Embedded systems, car hacking
Embedded applications best practices? *potential show*
Standards: https://xkcd.com/927/
CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
How did you decide on the initial criteria?
- Weak, Guessable, or Hardcoded passwords
- Insecure Network Services
- Insecure Ecosystem interfaces
- Lack of Secure Update mechanism
- Use of insecure or outdated components
- Insufficient Privacy Mechanisms
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
2014 list:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3
OWASP SLACK: https://owasp.slack.com/
What didn’t make the list? How do we get Devs onboard with these?
How does someone interested get involved with OWASP Iot working group?
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf
Next Episode
2019-003-Liz Rice, creating processes to shift security farther left in DevOps
BIO:
Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter and kube-bench. She was Co-Chair of the CNCF’s KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle, and co-author of the O’Reilly Kubernetes Security book. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London.
Liz Rice (@lizrice on Twitter) https://www.lizrice.com/
https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341
https://www.cloudops.com/2018/10/takeaways-from-liz-rice-pop-up-meetup-on-container-security/
https://thenewstack.io/cloud-native-security-patching-with-devops-best-practices/
https://changelog.com/gotime/56 - podcast with Liz
https://kubernetes-security.info - co-author of O’Reilly Kubernetes security book
https://www.slideshare.net/Docker/dont-have-a-meltdown - Liz Rice/Justin Cormack slides
https://www.bbc.com/news/technology-41753022 - NHS ransomware issue in 2017
https://docs.docker.com/config/containers/container-networking/ - docker portmapping
https://techbeacon.com/9-practical-steps-secure-your-container-deployment
If security needs to “Shift Left”, what can devs do to accommodate the change?
Everyone will have to make adjustments, not just security... right?
Reverse uptime...
Forgotten data?
Test Driven Development
Why do we need security as far left?
“We don’t patch, we just push a fix, ”
“We’ll fix it in production...”
Or we pump more resources to overcome perf issues
Is there time for code reviews?
“We don’t need change management...”
https://testssl.sh - @drwetter
Automation: How does security that solve security issues?
Do Microservices solve everything?
What don’t they solve?
What does security need to embrace to make the shift less painful?
What does development need to embrace to make the shift less painful?
Cause security wants to get in there...
There are already DevSecOps processes a-plenty and many . Why aren’t companies adopting them?
Maturity?
Lack of resources?
Negligent devs - how can you ignore the news of breaches?
Setting Goals
“Start Small” - what’s an example of a small goal?
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeart...
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/brakesec-education-podcast-15362/2019-002-part-2-of-the-owasp-iot-top-10-with-aaron-guzman-7883647"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to 2019-002-part 2 of the owasp iot top 10 with aaron guzman on goodpods" style="width: 225px" /> </a>
Copy