Last Updated on June 29, 2021
If you’re involved in information security, especially as a developer, you’ve likely come across the OWASP Foundation, a leading provider of web application security guidance.
OWASP is poised to release its Internet of Things (IoT) Security Verification Standard (ISVS)—a groundbreaking document geared to help everyone involved in IoT security, from designers to security architects to product managers to developers to testers.
How does the ISVS compare with existing IoT security guidance, especially the Cloud Security Alliance’s IoT Security Controls Framework? When should you use one of these standards versus the other?
We got answers to those questions and many more from a leader on both projects on a recent episode of The Virtual CISO Podcast: Aaron Guzman, OWASP IoT project lead, CSA IoT Working Group co-chair and product security lead at Cisco Meraki.
“I feel like the CSA IoT Controls Framework is like a ‘FedRAMP for IoT,’” describes Aaron. “There are many different stakeholders. You have privacy, you have safety. You have the Site Reliability Engineering (SRE) infrastructure folks, the network folks. It’s really a holistic program. And how you go about applying those controls into your enterprise IoT program.”
“As opposed to ISVS, which is a little bit more drilled in; a little bit more focused… Well, it’s a lot more focused on, again, measurements,” Aaron notes. “How can you test whether this is in use or not. And even at a higher level, some of it’s a binary yes or no. There are some more specific requirements that go into a bit more detail, and we provide some examples.”
“I’m sure there are some CISOs out there who manage FedRAMP programs and some of the requirements there,” Aaron continues. “You have to read between the lines and really try to make sense of it.”
“Not to say that the IoT Controls Framework is something like that—but’s more just at a program high level with a lot more stakeholders involved. It’s not something that’s meant to be testable from a pen tester perspective or an assessment. It’s from an architect level; how you’re going to build things,” Aaron states.
Podcast host John Verry, Pivot Point Security’s CISO and Managing Partner, compares that scenario with two recent NIST publications on IoT: NIST 8228, Considerations for Managing IoT Cybersecurity and Privacy Risks, and NIST 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers.
“NIST 8228 is more high-level guidance, right?” observes John. “And NIST 8259 drills it down to the next level. It sounds like you could use the CSA guidance to build your IoT development program, encompassing all the various areas of interest and objectives and outcomes that you might want. And then you could use the ISVS more specifically to give some more directly actionable guidance to your developers and testers?”
“Also, [in the ISVS] there are really no process requirements outside of threat modeling, and in the first chapter there is a little bit of process requirements in there,” adds Aaron. “But there’s certainly a lot within the CSA IoT Controls Framework. Those are a little bit difficult to test or to just see if you have that process in place…”
Anyone with a role in IoT security will appreciate this podcast with Aaron Guzman.