Last Updated on March 16, 2023
If you’re involved with cybersecurity, you’re probably aware of the OWASP Foundation, a leading authority globally on application security. OWASP is famous for its Top 10 and Application Security Verification Standard (ASVS) guidance, among its many significant contributions to our industry.
Most recently, the folks at OWASP have tackled Internet of Things security, with the new IoT Security Verification Standard (ISVS).
To discover what the ISVS is all about, including what it covers, how it’s organized and how best to use it, we interviewed Aaron Guzman, OWASP IoT project lead and product security lead for Cisco Meraki, on a recent episode of The Virtual CISO Podcast.
Aaron explains: “The ASVS folks reached out to us a couple of years ago with their last release for an IoT section. OWASP has a few different verification standards and ASVS is one of the flagships. There’s also the OWASP Mobile Application Security Verification Standard (MASVS) and now we have a Software Component Verification Standard (SCVS).”
“One of the goals of our project is to be one of those references, and to be that kind of open standard that folks follow for a number of reasons and a number of uses, like being able to have a security by design framework from the get-go when you’re designing products, and once a product is already in the field,” continues Aaron.
“The ISVS is really intended for everyone from product managers to product security teams to assessors like penetration testers or even security architects.”.
“Another of the main goals when we were developing the standard was to make sure everything was actionable, measurable, testable… minimal ambiguity,” Aaron adds. “Because that’s where all the other IoT security guidance and standards are—it’s very high-level and it’s easy to say, ‘Oh yes, we do that.’ Or maybe it’s too long and there’s a number of different requirements or testable tasks in there, but it’s not really straight to the point.”
“Like the NIST guidance!” John interjects. “I love NIST and they put out great guidance. But specifically NIST 8228 and NIST 8259—they’re not quite where they need to be for somebody like us to look at this and say, ‘Ok how do we test this?’ And I think it would be the same for somebody who’s asking, ‘How do I design and build something so it’s going to be secure when it gets out in the field?’”
Aaron mentions that the ISVS references and incorporates direct input from NIST, as well as European Union Agency for Cybersecurity (ENISA) and other industry stakeholders.
“Even with the CSA IoT Controls Framework documents—we use them both and we reference them both,” notes Aaron. “We try to ensure that where possible we reference other standards, not only for web and mobile but even for cryptography. We highlight the most important areas and reference where it makes sense.”
If you need to validate security for IoT devices or solutions, you’ll find this show with Aaron Guzman extremely valuable.