One of the biggest discussions as new technologies are evolving is the issue of cybersecurity. In a world where everyone is interconnected and mobile applications practically run our everyday lives, how do you keep users protected from hackers?
Such problems are magnified when we turn to IoT tech, which by definition joins numerous devices together and enables them to run without human monitoring, sometimes even giving them access to data that is not usually captured by smartphones or computers. The OWASP project has identified the lacuna in our vigilance and is preparing another list, specifically dedicated to IoT vulnerabilities.
OWASP community currently reviewing IoT top 10 list
The OWASP community is a constant in the cybersecurity world since it started out in 2001 – most notably through its flagship OWASP Top 10 Most Critical Web Application Security Risks project that was first published in 2003. These include common attacks like SQL injection, cross-site scripting and RFI.
Web application cybersecurity tools, like a Web Application Firewall, are often evaluated on their defensive capabilities by referring to the list. A WAF in particular can protect web applications from all OWASP Top 10 risks and zero-day threats. The OWASP Top 10 IoT is a specialised list that only examines risks and vulnerabilities that are of particular concern to IoT devices.
IoT presents a prime opportunity for hackers to launch tailored attacks to a variety of different types of targets, so exploring the most important is a great aid to IoT professionals as the industry moves forward. The OWASP IoT Top 10 was not considered a priority by the community lately, as the OWASP crowd focused on their new umbrella project. The list had not been updated since 2014, but the IoT world has seen so many changes since then that the community behind the project began to understand how imperative it was to examine the issue.
Weak passwords top draft list
Currently, the OWASP IoT Project is exploring the options for its Top 10 list with the intention of issuing a reviewed and updated version within 2018. The draft version includes weak and hardcoded passwords at the top of the list, followed by insecure network services and protocols, and insecure access interfaces at spots 2 and 3. Outdated or insecure software components and libraries stand at 4th place, followed by lack of the ability to update securely at 5th and lack of adequate privacy protection on 6th place.
Insecure data transfer and storage, lack of physical anti-tampering defenses, insufficient capabilities to secure the device through configuration, and lack of security support complete the top 10. The developers of the list focused on simplicity and practical concerns, as well as diversification of input sources by reaching out to people across the industry. They are still reviewing the project and since OWASP is an open community, every professional is welcome to chime in, whether by joining one of the scheduled meetups on Slack or through other means.
At the rapid pace that cutting-edge tech adoption is evolving, with networks of smart devices being developed every day, most cybersecurity professionals will concede that we can never be truly 100% safe. But understanding the threats is always the first step to effectively addressing them – and that is why the OWASP project is so important and must be embraced.