OWASP Internet of Things

OWASP Internet of Things image

The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

The project looks to define a structure for various IoT sub-projects separated into the following categories - Seek & Understand, Validate & Test, and Governance. Right now, you can find the following active and upcoming OWASP Internet of Things projects:

Seek & Understand

Project Project Leader(s) Description
IoT Top 10 Daniel Miessler
Aaron Guzman
Vishruta Rudresh
Craig Smith
IoT Top 10 2018
Top ten things to avoid when building, deploying or managing IoT systems.
IoT Top 10 Mapping Project Aaron Guzman
José A. Rivas
IoT Top 10 2018
Provides mappings of the OWASP IoT Top 10 2018 to industry publications and sister projects.
IoTGoat Aaron Guzman
Fotios Chantzis
Paulino Calderon
IoTGoat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project. IoTGoat is expected to be released in 2020.

Validate & Test

Project Project Leader(s) Description
Firmware Analysis Project Craig Smith The Firmware Analysis Project provides: Security testing guidance for vulnerabilities in the “Device Firmware” attack surface, Steps for extracting file systems from various firmware files, Guidance on searching a file systems for sensitive of interesting data, Information on static analysis of firmware contents, Information on dynamic analysis of emulated services (e.g. web admin interface), Testing tool links, and a site for pulling together existing information on firmware analysis
Firmware Security Testing Methodology (FSTM) Aaron Guzman FSTM
The Firmware Security Testing Methodology is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.
GitHub: https://github.com/scriptingxss/owasp-fstm
ByteSweep Matt Brown ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before firmware is shipped.


Project Project Leader(s) Description
Catalogue of IoT regulatory policies and Certifications TBD TBD

Not what you are looking for? Please have a look at the Internet of Things Page Archive.

Want to start a new IoT security project? Follow https://www.owasp.org/index.php/Category:OWASP_Project#Starting_a_New_Project or contact one of the leaders of the active projects.


Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.