owasp / owasp-istg Goto Github PK

The IoT Security Testing Guide (ISTG) provides a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results.

Home Page: https://owasp.org/www-project-iot-security-testing-guide/

License: Creative Commons Attribution Share Alike 4.0 International

Python 96.64% Shell 3.36%

iotsecurity penetration-testing security-testing embedded-security testing-framework compliancy-checklist istg assurance checklist security

owasp-istg's Introduction

OWASP IoT Security Testing Guide

The OWASP IoT Security Testing Guide provides a comprehensive methodology for penetration tests in the IoT field offering flexibility to adapt innovations and developments on the IoT market while still ensuring comparability of test results. The guide provides an understanding of communication between manufacturers and operators of IoT devices as well as penetration testing teams that’s facilitated by establishing a common terminology.

Security assurance and test coverage can be demonstrated with the overview of IoT components and test case categories applicable to each below. The methodology, underlying models, and catalog of test cases present tools that can be used separately and in conjunction with each other.

Introduction
IoT Security Testing Framework

2.1. IoT Device Model

2.2. Attacker Model

2.3. Testing Methodology
Test Case Catalog

3.1. Processing Units (ISTG-PROC)

3.2. Memory (ISTG-MEM)

3.3. Firmware (ISTG-FW)

3.3.1. Installed Firmware (ISTG-FW[INST])

3.3.1. Firmware Update Mechnanism (ISTG-FW[UPDT])

3.4. Data Exchange Services (ISTG-DES)

3.5. Internal Interfaces (ISTG-INT)

3.6. Physical Interfaces (ISTG-PHY)

3.7. Wireless Interfaces (ISTG-WRLS)

3.8. User Interfaces (ISTG-UI)

Related Work

The concepts, models and test steps presented in the OWASP IoT Security Testing Guide are based on the master's thesis "Development of a Methodology for Penetration Tests of Devices in the Field of the Internet of Things" by Luca Pascal Rotsch.

Test cases were derived from the following public sources:

OWASP "Web Security Testing Guide"
OWASP "Firmware Security Testing Methodology"
OWASP "Mobile Security Testing Guide"
"IoT Pentesting Guide" by Aditya Gupta
"IoT Penetration Testing Cookbook" by Aaron Guzman and Aditya Gupta
"The IoT Hacker's Handbook" by Aditya Gupta
"Practical IoT Hacking" by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, and Beau Woods
further sources are referenced in the respective test cases

We also like to thank our collaborators and supporters (see Project Collaborators and Acknowledgements)!

owasp-istg's People

Contributors

Stargazers

Watchers

Forkers

xhoenix falcnix marti-pu websecresearch sayeh-1337 mhepekiz akashtalole

owasp-istg's Issues

Bootloader Test Cases

A bootloader section would provide test case coverages at lower lever components that create chains of trust that secure devices at boot and their identity

Create ISTG cover art and align on look/feel with MSTG where possible

MSTG is a mature flagship OWASP project with a large following and a steady flow of contributors maintaining the guide. Until ISTG has a similar maturity and following, it'll be challenging to keep up with MSTG. Although, we should aim to align where it make sense and build relationships with testing guide project leaders for support.

Observations and opportunities to align

ISTG should have a similar cover to MSTG's
GitHub pages theme (material) should be similar
Add a download link to the checklist and other formats like PDF
Input validation category abbreviation detailed in #4

Overview of Data Exchange Services (ISTG-DES) identical to Memory (ISTG-MEM)

The Overview section of Data Exchange Service is identical to Memory.
Seems like there happend a copy-paste mistake.

DES:
https://github.com/OWASP/owasp-istg/blob/main/src/03_test_cases/data_exchange_services/README.md#overview

MEM:
https://github.com/OWASP/owasp-istg/blob/main/src/03_test_cases/memory/README.md#overview

Change title of IOT-MEM-INFO-001 and IOT-FW-INFO-001?

I received feedback regarding the test case "Disclosure of Source Code" (IOT-MEM-INFO-001, IOT-FW-INFO-001). It might be confusing that only source code is mentioned in the title while the section "Test Objectives" also refers to binary files.

Suggested solution: Change the title to better reflect the test objectives, e.g., "Disclosure of Source Code and Binaries".

@scriptingxss: What's your opinion on this matter?

Test Dependencies

Test cases in Physical Interface, Wireless Interface, and User Interface are based on test cases in Firmware and Data Exchange Service.
Does "based on" mean that these tests (e.g. ISTG-FW-INFO-002) have to be performed prior to performing the interface test (e.g. ISTG-PHY-INFO-001)?

If yes, this is not ideally represented in this Table. An example: Wireless Interface test can be conducted with physical access level PA-2, while the firmware might not be available with PA-2. However, Wireless Interface tests are based on Firmware tests.

Thanks for clarification!
Best, Martin

ATT&CK ICS, D3FEND & ISTG

Folks have asked about relation to adjacent frameworks like ATT&CK ICS, D3FEND (links below) and overlap of them with ISTG.

https://attack.mitre.org/techniques/ics/
https://attack.mitre.org/matrices/ics/
https://d3fend.mitre.org/

Curious if the project has a perspective to share and if there are opportunities to partner or collaborate on mappings in the future?

ISTG abbreviates the input validation category with INVAL e.g. IOT-DES-INVAL.
WSTG abbreviates using INPV e.g. WSTG-INPV-01
MASTG inherits MASVS abbreviations with MASVS-CODE-4 for input validation and testing for injection