Change title of IOT-MEM-INFO-001 and IOT-FW-INFO-001?

OWASP / owasp-istg

The IoT Security Testing Guide (ISTG) provides a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results.

https://owasp.org/www-project-iot-security-testing-guide/

Creative Commons Attribution Share Alike 4.0 International

89 stars 9 forks source link

Change title of IOT-MEM-INFO-001 and IOT-FW-INFO-001? #7

Closed rockhoppersec closed 7 months ago

rockhoppersec commented 9 months ago

I received feedback regarding the test case "Disclosure of Source Code" (IOT-MEM-INFO-001, IOT-FW-INFO-001). It might be confusing that only source code is mentioned in the title while the section "Test Objectives" also refers to binary files.

Suggested solution: Change the title to better reflect the test objectives, e.g., "Disclosure of Source Code and Binaries".

@scriptingxss: What's your opinion on this matter?

scriptingxss commented 7 months ago

Great piece of feedback @rockhoppersec! I can see how there would be confusion for these test case objectives. Changing the title might be more inclusive so I think your suggestion solution works.

Somewhat related to these test cases - do we have an objective that analyzes compiled binaries build flags for PIE/ASLR, NX, etc. that aid in decompilation strategies for reversing?

rockhoppersec commented 7 months ago

Changed the title in https://github.com/OWASP/owasp-istg/commit/a041dc6035ddbcb799a83533a0e8a09506fa1f12.

Regarding the build flags, I think this is beyond the current level of detail. However, we should keep it in mind for later, more detailed versions of the ISTG.

Moved to: https://github.com/OWASP/owasp-istg/issues/8