cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ontheway
Newcomer I

Embedded Device/System secure development

Hi, community, 

 

I am working on a SDLC audit for IoT/Embedded System development process.  The primary focus is on secure software development process.  Cannot really find much resources for guidance.  Any suggestions/recommendation for guideline resources or an outline of audit program?   

 

Thank you, 


 

5 Replies
CraginS
Defender I


@ontheway wrote:

I am working on a SDLC audit for IoT/Embedded System development process.  The primary focus is on secure software development process.  Cannot really find much resources for guidance.  Any suggestions/recommendation for guideline resources or an outline of audit program?    


Steve,

Mine the web site for the Industrial Internet Consortium, a relatively new international organization that is focusing specifically on security of IoT. I think you will find resources there to guide your audit plan development.

 

Good luck! You are working in an extremely important area.

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
ontheway
Newcomer I

Thank you, Dr. Shelton.  That is a good resource depository.  Going through them give me some good reference points. 

Caute_cautim
Community Champion

@onetheway

 

Just finished a lecture on the subject to the other group - you know the one called "ISACA".

 

Here is is a list of my references:

 

Bruce Schneiier has been collecting them, and in your case I think the OWASP Internet of things working group and there testing regime and guidance, will be useful to you. 

 

It is a fast moving world, i.e. an ARM9 chip has two gigabit ethernet connections, imagine, what chaos that could cause.    Plus you need to think protocols and bandwidth plus interference to other surrounding devices, the modulation used can cause widespread consequences too.   Especially if Wireless Power Transfer  (WPT) is involved as well.   The world cannot agree on standards at the moment, it could take a few more years, before this occurs.

 

Happy to discuss more.

 

Regards

 

Caute_cautim

 

 

 

 

Caute_cautim
Community Champion

Another update: 

 

https://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm

 

The US Food and Drugs Association (FDA) has released some guidance as well.

 

We need more standards, guidance and possibly legislation.

 

Regards

 

Caute_cautim

 

ontheway
Newcomer I

Thank you all for the information.  Always great to be supported by the community.  

 

So we finished the audit.  We were looking into industrial embedded control system or IoTs. Interestingly, this area appears to be a wild west without much standards or framework.  We noted one framework (in addition to what everyone already mentioned above is BSIMM (Building Security in Maturity Model).   https://www.bsimm.com/.  They are trying to be a comprehensive maturity model, which is gaining acceptance.

 

I also finding ISC(2)'s CSSLP curriculum is very helpful for this subject.  

 

Hope this thread continue to be updated and be helpful to everyone who is interested in this subject.