owasp-iot-top-10
OWASP IoT Top 10
This skill encodes the OWASP IoT Top 10 for secure IoT device and ecosystem design and review. References are loaded per risk. Based on OWASP IoT Top 10 2018.
When to Read Which Reference
| Risk | Read |
|---|---|
| I1 Weak, Guessable, or Hardcoded Passwords | references/i1-weak-passwords.md |
| I2 Insecure Network Services | references/i2-insecure-network-services.md |
| I3 Insecure Ecosystem Interfaces | references/i3-insecure-ecosystem-interfaces.md |
| I4 Lack of Secure Update Mechanism | references/i4-secure-update-mechanism.md |
| I5 Using Insecure or Outdated Components | references/i5-outdated-components.md |
| I6 Insecure Data Transfer and Storage | references/i6-insecure-data-transfer-storage.md |
| I7 Absence of Device Management | references/i7-device-management.md |
| I8 Insecure Default Settings | references/i8-insecure-default-settings.md |
| I9 Lack of Physical Hardening | references/i9-physical-hardening.md |
| I10 Insufficient Privacy Protection | references/i10-privacy-protection.md |
Quick Patterns
- Eliminate default/hardcoded passwords; use secure update with signing; minimize exposed network services. Encrypt data in transit and at rest; support device lifecycle and decommissioning. Harden physically and protect user privacy.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Eliminate default passwords | Force password change on first use; generate unique per-device. See I1. |
| Secure updates | Sign firmware, verify before install, support rollback. See I4. |
| Minimize attack surface | Disable unused services, close unnecessary ports. See I2. |
| Encrypt data | TLS for transit, AES for storage, secure key storage. See I6. |
| Physical hardening | Disable debug interfaces (JTAG/UART), tamper detection. See I9. |
Safe - firmware signature verification (pseudocode):
bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
// Verify Ed25519 signature with embedded public key
return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true
Unsafe - no update verification:
void install_firmware(uint8_t* firmware) {
flash_write(firmware); // No signature check - accepts malicious updates
}
Unique per-device credentials (manufacturing):
# During manufacturing, generate and store unique credentials
device_password = secrets.token_urlsafe(16)
store_in_secure_element(device_id, device_password)
Workflow
Load the reference for the risk you are addressing. See OWASP IoT Top 10 for the official list.
More from yariv1025/skills
owasp-mobile-top-10
OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography.
16owasp-api-security-top-10
OWASP API Security Top 10 - prevention, detection, and remediation for REST/GraphQL/API security. Use when designing or reviewing APIs - object- and function-level authorization, authentication, rate limiting and resource consumption, sensitive business flows, SSRF, API inventory and versioning, or consumption of third-party APIs.
14agent-dev-guardrails
Enforce disciplined agent development workflows with plan-first development, small-slice execution, specialized self-review roles, quality gates, and project setup. Use when starting a new project, setting up development conventions, wanting structured planning, or needing the agent to follow best practices for code quality, review, and validation.
8owasp-cicd-top-10
OWASP Top 10 CI/CD Security Risks - prevention, detection, and remediation for pipeline security. Use when securing or reviewing CI/CD - flow control, IAM, dependency chain, poisoned pipeline execution, PBAC, credential hygiene, system config, third-party services, artifact integrity, logging and visibility.
6owasp-top-10
OWASP Top 10 web application security risks - prevention, detection, and remediation. Use when implementing or reviewing access control, authentication, crypto/sensitive data, input validation and injection, secure design, security configuration, dependency management, session/identity, deserialization or CI/CD integrity, logging and monitoring, or server-side requests (SSRF).
5owasp-kubernetes-top-10
OWASP Kubernetes Top 10 - prevention, detection, and remediation for Kubernetes security. Use when designing or reviewing K8s workloads and clusters - workload config, supply chain, RBAC, policy enforcement, logging, authentication, network segmentation, secrets, cluster components, vulnerable components.
5