Embedded Application Security Best Practices
OWASP Embedded Application Security Project Wiki Page
Thank you for your interest in the OWASP Embedded Application Security Project. This is the development version of the OWASP Embedded Application Security Best Practices Guide, and will be converted into PDF & MediaWiki for publishing when complete.
This document was put together by the collaborative efforts of developers, engineers, and hobbyists with the sole purpose of assisting manufacturers produce embedded devices with security in mind. A special "thank you" is due to all those who have contributed (see below) as well as those who continue to see this project evolve. It is our goal that this document will provide a detailed technical pathway for manufacturers to build secure devices for an increasingly insecure world. This is considered a "living" document as it is open to feedback and further collaboration, please contact the project leaders with any feedback you may have.
Made possible by contributions from:
- Jim Manico
- Benjamin Samuels
- Janet Kulp
For a pleasant reading experience, use GitBook to turn this document into a PDF, e-book, website, etc.
You do not have to be a security expert in order to contribute!
Some of the ways you can help:
- Technical editing
- Graphic design
- Code snippets in your favorite language
- Translate guidance material
Feel free to sign up for a task out of our roadmap below or add your own idea to the roadmap. To get started, create a GitBook account or sign in with your Github credentials to add comments and make edits. All changes are tracked and synced to https://github.com/scriptingxss/embeddedappsec. Alternatively, clone the Github repo, use your favorite markdown editor, apply/make your edits, and submit a pull request. Feel free to contact the project leaders for ways to get involved.
Introductory Embedded Section
- [x] Expand on what embedded firmware is (8,16,32 bit, minimal hardware resources, list embedded use cases and industries)
- [x] Describe types of architectures (MIPS, ARM, PowerPC, x86 etc.)
- [x] Describe types of firmware and operating systems
- [ ] Layout of firmware for embedded linux, RTOS, and Embedded Window
Expand on embedded best practices
- [ ] Secure boot recommendations
- [x] U-boot
- [x] Create examples of software bill of materials (BOM)
- [x] Additional example programming language command injection system calls or APIs
- [ ] Break out subsections for each of the platforms with contextual guidance and configurations
- [ ] Expand on hardening for:
- [ ] Embedded Linux
- [ ] RTOS (QNX/MQX)
- [ ] Best practices/considerations for PKI in embedded systems
Create example embedded application security requirements for new products
- [ ] Integrate with ASVS or create an EASVS (Embedded Application Security Verification Standard)
- [ ] Integrate with the IoT project
Join the mailing list, slack channel and contact the Project leaders if you feel you can contribute.
Alex Lafrenz @zerofrenz