OWASP Embedded Application Security

= Main =  {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Embedded Application Security Project
Each year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is essential to create secure coding guidelines for embedded software. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world.

Introduction
Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. It provides numerous encoding functions to help defend against XSS in a variety of different HTML, JavaScript, XML and CSS contexts.

Quick Overview
The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.2.jar, import org.owasp.encoder.Encode and start encoding.

Please look at the javadoc for Encode to see the variety of contexts for which you can encode. Tag libraries and JSP EL functions can be found in the encoder-jsp-1.2.jar.

If you want to try it out or see it in action, head over to "Can You XSS This? (.com)" and hit it with your best XSS attack vectors!

Happy Encoding!

Licensing
The OWASP Java Encoder is free to use under the New BSD License.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is this?
The OWASP Java Encoder provides:


 * Output Encoding functions to help stop XSS
 * Java 1.5+ standalone library

Important Links
Java Encoder at GitHub Issue Tracker

Mailing List
Java Encoder Mailing List

Project Leaders
Author: Jeff Ichnowski [mailto:jeff.ichnowski@gmail.com @] Jim Manico [mailto:jim.manico@owasp.org @] Jeremy Long [mailto:jeremy.long@owasp.org @]

Related Projects

 * XSS (Cross Site Scripting) Prevention Cheat Sheet
 * OWASP Java HTML Sanitizer Project
 * OWASP JSON Sanitizer
 * OWASP Dependency Check
 * Sourceclear Headlines
 * Google KeyCzar
 * Apache SHIRO


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download

 * encoder-1.2.jar
 * encoder-jsp-1.2.jar

News and Events

 * [18 July 2016] New Project Template

In Print
We will be releasing a user guide soon!

Classifications

 * }

= Best Practices =


 * Prevent the use of dangerous functions and APIs in efforts to protect against memory-corruption vulnerabilities inside firmware functions.
 * Ensure secure compiler flags or switches are utilized upon each firmware build. (i.e For GCC -fPIE, -fstack-protector-all, -Wl,-z,noexecstack, -Wl,-z,noexecheap etc..)
 * Ensure robust update mechanisms utilize cryptographically signed firmware images for updating functions.
 * Do not hard code secrets such as passwords, usernames, tokens or similar variants into firmware images.
 * Dispose and securely wipe sensitive information stored in buffers or temporary files during runtime after they are no longer needed (e.g. Wipe buffers from locations where personal identifiable information is stored before releasing the buffers)
 * Modify Busybox and embedded frameworks alike to only libraries and functions that are being used. (e.g. Remove unused languages like perl and services such as Telnet, FTP etc)
 * Validate all debugging and pre-production code have been removed prior to firmware deployment.
 * Ensure all methods of communication are utilizing industry standard encryption configurations for TLS.
 * Limit collection, storage, and sharing of personal identifiable information (PII) to items that are only required for operation.
 * Ensure kernel and software packages on embedded images are updated to prevent from known publicly available exploits.

= Roadmap =

2016-2017 Roadmap

 * Add decoders and canonicalization
 * Build more complex examples