Last Updated on March 16, 2023
If you’re charged with testing Internet of Things (IoT) devices or systems, we feel your pain. As the IoT explodes in diversity and complexity, IoT solutions often evolve into multi-component ecosystems with webs of potential connections. How do you even begin verifying whether an IoT solution is secure, let alone develop a comprehensive testing plan? What standards and best practices might be applicable? What level of security do we need? How do we demonstrate security to stakeholders? Has anyone passed this way before and maybe… left a trail of breadcrumbs…?
To give us a sneak peek into the soon-to-be-released ISVS, including what it covers and how best to use it, we invited Aaron Guzman, OWASP IoT project lead and product security lead for Cisco Meraki, to join a recent episode of The Virtual CISO Podcast.
“OWASP stands for Open Web Application Security Project,” says Aaron. “They started in the early 2000s. It’s a not-for-profit, and they have chapters regionally around the world.”
“The goal of OWASP is essentially to put out software security guidance, tools and resources,” Aaron continues. “With the chapters regionally, they have community networking events, though right now it’s a little bit challenging [with COVID]. They’ve also started providing trainings and educational courses just recently.”
“So there’s some good stuff coming from OWASP,” adds Aaron. “And I can give a lot of credit to OWASP for where I’m at [professionally]. I’ve gotten so many opportunities and jobs from attending OWASP meetings here in Los Angeles, where I was on the board for five years, and from going to the global conferences as well.”
“The content that OWASP puts out is pretty authoritative in software security,” Aaron states. “And that’s one of the reasons why the ISVS is a great platform. People are familiar with the OWASP name. If you’re in application security—or anything security, really… Or if you’re a developer who’s been handed a task to be able to remediate or fix a vulnerability, you’ve likely looked up OWASP in some way, shape or form.”
“I look at OWASP as being the foremost authority on all things application security,” shares podcast host John Verry, Pivot Point Security’s CISO and Managing Partner. “What I love about it is its open, trusted standards, and that it’s largely volunteer led. Most of the OWASP folks are like you—they’re people who have day jobs. And they’re doing this because they love it and because they’re trying to make the world a better place.”
“Software runs the world, and if software’s insecure we’re all insecure. So that’s OWASP and it’s a fantastic organization,” John summarizes.
If you’re responsible for IoT security on any level, don’t miss this show with Aaron Guzman.