OWASP Embedded Application Security

= Main =  {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Embedded Application Security Project
Each year, embedded software within enterprise and consumer devices continue to be on the rise. Given the publicity with IoT and more devices becoming network connected, it is essential to create secure coding guidelines for embedded software. Embedded Application Security is often not thought of as a high priority for embedded devices such as Routers, Managed Switches, Medical Devices, IoT devices, and ATM Kiosks by device manufactures. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goal of this project is to create a list of best practices, provide practical guidance to embedded developers, and to draw on the resources that OWASP already has to bring application security expertise to the embedded world.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Mailing List
Embedded Sec Mailing List

Project Leaders
Aaron Guzman [mailto:aaron.guzman@owasp.org @] Alex Lafrenz [mailto:alex.lafrenz@owasp.org @]

Related Projects

 * OWASP Internet of Things Project
 * C-Based Toolchain Hardening
 * OWASP Mobile Security Project


 * valign="top" style="padding-left:25px;width:200px;" |

News and Events

 * [18 July 2016] New Project Template

In Print
We will be releasing a user guide soon!

Classifications

 * }

= Embedded Best Practices =

The Working Document can be found here (Google Docs) https://docs.google.com/document/d/1NxpVCeiglY1wHhmw7U-e9jnHgd-jQI-Y6sbdeKzUpQE/edit?usp=sharing

= Table of Contents =

Draft-The items below are subject to change

Get Involved
= Embedded Device Firmware Analysis Tools =


 * Angr -
 * Firmadyne
 * Firmwalker
 * Binary Analysis
 * Flaw Finder
 * IDA Pro (supports ARM / MIPS)
 * Radare2
 * GDB
 * Binwalk
 * Firmware-mod-toolkit
 * Capstone framework
 * Shikra
 * JTagulator
 * UART cables
 * JTAG Adapters (JLINK)
 * BusPirate
 * BusBlaster
 * CPLDs (in lieu of FPGAs)
 * Oscilloscopes
 * Multimeter (Ammeter, Voltmeter, etc)
 * Logic Analyzers for SPI
 * OpenOCD
 * GreatFET

= Roadmap =

2016-2017 Roadmap

 * Curate a list of embedded secure coding best practices.
 * Create a Top 10 Embedded Application Security list.
 * Participate in PR-related activities to involve the embedded community at large.
 * Contribute to ASVS with embedded security principles

Feel free to join the mailing list and contact the Project leader if you feel you can contribute.