E
E
Embedded Application Security Best Practices
Search…
Embedded Application Security Best Practices
What are Embedded Systems?
Buffer and Stack Overflow Protection
Injection Prevention
Firmware Updates and Cryptographic Signatures
Securing Sensitive Information
Identity Management
Embedded Framework and C-Based Toolchain Hardening
Usage of Debugging Code and Interfaces
Transport Layer Security
Usage of Data Collection and Storage - Privacy
Third Party Code and Components
Threat Modeling
About OWASP
Powered By GitBook
Usage of Data Collection and Storage - Privacy
It is critical to limit the collection, storage, and sharing of both personally identifiable information (PII) as well as sensitive personal information (SPI). Leaked information such as Social Security Numbers can lead to customers being compromised which could have legal repercussions for manufacturers. If information of this nature must be gathered, it is important to follow the concepts of Privacy-by-Design.
Considerations (Disclaimer: The List below is non-exhaustive):
  • Determine which PII/SPI is critical for device operation and if storage of the information required for business and/or operational purpose.
  • Limit the duration of storage time to the shortest amount of time needed for device operation.
  • Ensure the information is stored securely - i.e. in Secure Environment, or protected using strong cryptography.
  • Provide transparency for customers by including details about what information is being collected, stored, and distributed via privacy policies.
  • Provide a mechanism to allow the device owner to perform a factory reset to remove their personal data before transfer to another user or destruction.
  • Consider GDPR for devices that store data in the EU.

Additional References

Previous
Transport Layer Security
Next
Third Party Code and Components
Last modified 3yr ago
Copy link
Contents
Additional References