Thank you for your interest in the OWASP Embedded Application Security Project. This is the development version of the OWASP Embedded Application Security Best Practices Guide, and will be converted into PDF & MediaWiki for publishing when complete.
This document was put together by the collaborative efforts of developers, engineers, and hobbyists with the sole purpose of assisting manufacturers produce embedded devices with security in mind. A special "thank you" is due to all those who have contributed (see below) as well as those who continue to see this project evolve. It is our goal that this document will provide a detailed technical pathway for manufacturers to build secure devices for an increasingly insecure world. This is considered a "living" document as it is open to feedback and further collaboration, please contact the project leaders with any feedback you may have.
Made possible by contributions from:
For a pleasant reading experience, use GitBook to turn this document into a PDF, e-book, website, etc.
You do not have to be a security expert in order to contribute!
Some of the ways you can help:
Code snippets in your favorite language
Translate guidance material
Feel free to sign up for a task out of our roadmap below or add your own idea to the roadmap. To get started, create a GitBook account or sign in with your Github credentials to add comments and make edits. All changes are tracked and synced to https://github.com/scriptingxss/embeddedappsec. Alternatively, clone the Github repo, use your favorite markdown editor, apply/make your edits, and submit a pull request. Feel free to contact the project leaders for ways to get involved.
Introductory Embedded Section
Layout of firmware for embedded linux, RTOS variants, and Embedded Window
Expand on embedded best practices
Secure boot recommendations
Break out subsections for each of the platforms with contextual guidance and configurations
Expand on hardening for:
Best practices/considerations for PKI in embedded systems
Provide a threat model example for embedded devices
Include automated scanning examples
Provide detailed best practices for identity management
Create example embedded application security requirements for new products
Integrate with ASVS or create an EASVS (Embedded Application Security Verification Standard)
Integrate with the IoT project
Join the mailing list, slack channel and contact the Project leaders if you feel you can contribute.
Alex Lafrenz @zerofrenz