OWASP Embedded Application Security

Jump to: navigation, search

Incubator big.jpg

OWASP Embedded Application Security Project

Every year the prevalent use of embedded software within enterprise and consumer devices continues to rise exponentially. With widespread publicity of the IoT, more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as Routers, Managed Switches, Medical Devices, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include but are not limited to the ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goal of this project is to create a list of best practices, provide practical guidance to embedded developers, and to draw on the resources that OWASP already has to bring application security expertise to the embedded world. Given the prevalence of Linux kernels utilized within embedded devices, all code examples are geared towards a POSIX environment but the principals are designed to be platform agnostic.

Mailing List

Embedded Sec Mailing List

Project Leaders

Aaron Guzman @
Alex Lafrenz @

Related Projects

News and Events

  • [18 July 2016] New Project Template

In Print

We will be releasing a user guide soon!


Owasp-incubator-trans-85.png Owasp-builders-small.png
Project Type Files DOC.jpg

Draft-The items below are subject to change


Release Notes

Risk Involved

Top 10

E1 – Memory Protections

E2 – Injection Prevention

E3 – Firmware Updates and Cryptographic Signatures

E4 – Usage of Secrets and Keys

E5 – Identity Management

E6 – Embedded Framework Hardening

E7 – Usage of Debug Code and Interfaces

E8 – Transport Layer Security

E9 – Data collection Usage and Storage - Privacy

E10 – Third Party Code and Components

Note on Hardware

Get Involved

  • Angr - [1]
  • Firmadyne [2]
  • Firmwalker [3]
  • Binary Analysis [4]
  • Flaw Finder [5]
  • IDA Pro (supports ARM / MIPS)
  • Radare2 [6]
  • GDB
  • Binwalk [7]
  • Firmware-mod-toolkit [8]
  • Capstone framework [9]
  • Shikra [10]
  • JTagulator [11]
  • UART cables
  • JTAG Adapters (JLINK)
  • BusPirate
  • BusBlaster
  • CPLDs (in lieu of FPGAs)
  • Oscilloscopes
  • Multimeter (Ammeter, Voltmeter, etc)
  • Logic Analyzers for SPI [12]
  • OpenOCD
  • GreatFET [13]

2016-2017 Roadmap

  • Curate a list of embedded secure coding best practices.
  • Create a Top 10 Embedded Application Security list.
  • Participate in PR-related activities to involve the embedded community at large.
  • Contribute to ASVS with embedded security principles

Feel free to join the mailing list and contact the Project leader if you feel you can contribute.