add xrefs to OWASP emb app sec top 10, in response to issue #19

[jdaoust]

Added references to the OWASP Embedded Application Security Top 10 Best Practices to certain appropriate requirements in the matrix, in response to issue #19. All best practices from the list were attributed to at least one matrix requirement, except for E9. This last one doesn’t seem to have an exact counterpart in the matrix.

The README was also updated to include a reference to the new source.

A log of which requirement received a new xref was kept for each of the “best practices”. This log is available in the following spreadsheet. OWASP emb app sec top 10 TCRM xref addition log.xlsx

Additionally, here is a text-diff of the changes to the TCRM XLS:

diff --git a/PRE-MOD_TCRM.csv b/POST-MOD_TCRM.csv
index a6f3174..fb1f65e 100755
--- a/PRE-MOD_TCRM.csv
+++ b/POST-MOD_TCRM.csv
@@ -38,7 +38,9 @@ Authorize access for [Assignment: organization-defined individuals or roles] to:
 (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
 (b) [Assignment: organization-defined security-relevant information].

-CTIA ICCTP 5.17 Design-In Features “designed to separate critical functions from non”","Inspection of vendor documentation or a demonstration by the vendor that details how software privileges are assigned in vendor systems. Ensure that principles of least privilege are met.
+CTIA ICCTP 5.17 Design-In Features “designed to separate critical functions from non”
+
+OWASP E5 – Identity Management","Inspection of vendor documentation or a demonstration by the vendor that details how software privileges are assigned in vendor systems. Ensure that principles of least privilege are met.

@@ -117,7 +119,9 @@ CTIA ICCTP 5.17 Design-In Features “deny all inbound and outbound network conn

 FMCSA GDL 20 Give applications the least privilege they need to function

-FMCSA GDL 21 Where possible, remove code that isn't used",Inspection of vendor documentation asserting that unnecessary software or services are not present or disabled on the device.,Medium,"E.g. this is particularly true of unauthenticated or unencrypted transport services (which would not satisfy protected communication requirements above) such as File Transfer Protocol, telnet, Short Messaging Service, etc.",CM-010 (Protecting Actions on Devices) - All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system and remove unnecessary services’ executables or at least disabled such that their execution (by even superuser) is not possible in deployed systems.,No,Yes,Yes,No
+FMCSA GDL 21 Where possible, remove code that isn't used
+
+OWASP E6 – Embedded Framework and C-Based Hardening",Inspection of vendor documentation asserting that unnecessary software or services are not present or disabled on the device.,Medium,"E.g. this is particularly true of unauthenticated or unencrypted transport services (which would not satisfy protected communication requirements above) such as File Transfer Protocol, telnet, Short Messaging Service, etc.",CM-010 (Protecting Actions on Devices) - All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system and remove unnecessary services’ executables or at least disabled such that their execution (by even superuser) is not possible in deployed systems.,No,Yes,Yes,No
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
@@ -145,7 +149,9 @@ FMCSA GDL 31 Make sure debugging interfaces (JTAG, serial, USB) have authenticat

 FMCSA GDL 54 Disable unnecessary debugging interfaces in production.

-FMCSA GDL 55 Authenticate debugging and diagnostic interfaces.","Inspection of vendor-supplied documentation detailing all service (listening ports or outbound connections) available on deployed devices.
+FMCSA GDL 55 Authenticate debugging and diagnostic interfaces.
+
+OWASP E7 – Usage of Debug Code and Interfaces","Inspection of vendor-supplied documentation detailing all service (listening ports or outbound connections) available on deployed devices.

 Ensure that there are no services for test or debug active in the device. Ideally, look for assurances that any test or debug executables cannot be run on the device.",High, Deploying with test or debug facilities enabled is egregious,CM-030 (Configuration Management) - Vendor ensures that any and all interfaces used for testing or debug are unavailalbe in production builds of the devices,Yes,Yes,Yes,Yes
 "Mobile App;
@@ -439,7 +445,8 @@ FMCSA GDL 46 Use encryption on all wireless communication interfaces
 FMCSA GDL 47 Use authentication on all wireless interfaces

 FMCSA GDL 25 Assume satellite communication channels have unknown security vulnerabilities and might become compromised at any time.
-","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the confidentiality and integrity of all external communications channels. The cryptographic protections must be industry standard.
+
+OWASP E8 – Transport Layer Security","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the confidentiality and integrity of all external communications channels. The cryptographic protections must be industry standard.

 (rationale: cryptography must be validated by experts in the subject)",High,Underpins device functionality and security,SCP-010 (Protecting Communications paths for systems) - Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,Yes,Yes,Yes,Yes
 "Mobile App;
@@ -458,7 +465,9 @@ NIST 800-53 r5 SC-28 (1) - PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PRO
 Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].

 NIST 800-53 r5 SC-28 (2) - PROTECTION OF INFORMATION AT REST | OFFLINE STORAGE 
-Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic confidentiality protections on storage of sensitive data (class defined by vendor, see SCP-030). The protections must be industry standard and keys must be managed to protect them from leaks as well. (rationale: cryptography must be validated by experts in the subject)",High,"Failing to adequately protect PII can incur large fines
+Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].
+
+OWASP E4 – Securing Sensitive Information","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic confidentiality protections on storage of sensitive data (class defined by vendor, see SCP-030). The protections must be industry standard and keys must be managed to protect them from leaks as well. (rationale: cryptography must be validated by experts in the subject)",High,"Failing to adequately protect PII can incur large fines

 e.g. this applies also to apps on mobile where data is cached until it can be synced to other vehicle-connected devices. This data must be encrypted as per this requirement.

@@ -526,7 +535,9 @@ Employ boundary protection mechanisms to isolate [Assignment: organization-defin

 FMCSA GDL 27 Limit telematics units' access to the CAN bus, and whitelist the CAN messages they can send

-FMCSA GDL 37 It is recommended to isolate safety-critical ECUs on their own CAN bus, with some sort of gateway between them and other ECUs",Inspection of 3rd party implementation review or a demonstration by the vendor that asserts that there are protections in place which limit what data can be sent from the telematics device to the vehicle network. Ensure that the protections are ‘layered’ (follow defense-in-depth) so that the compromise of software leading to sending vehicle network data cannot also bypass the protections.,High,Vehicle network protection is paramount,SCP-060 (Protecting Vehicle Network Escalation from Devices) - The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,No,Yes,Yes,No
+FMCSA GDL 37 It is recommended to isolate safety-critical ECUs on their own CAN bus, with some sort of gateway between them and other ECUs
+
+OWASP E2 – Injection Prevention",Inspection of 3rd party implementation review or a demonstration by the vendor that asserts that there are protections in place which limit what data can be sent from the telematics device to the vehicle network. Ensure that the protections are ‘layered’ (follow defense-in-depth) so that the compromise of software leading to sending vehicle network data cannot also bypass the protections.,High,Vehicle network protection is paramount,SCP-060 (Protecting Vehicle Network Escalation from Devices) - The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,No,Yes,Yes,No
 "Mobile App;
 Connectivity/Communications;
 Cloud or Back-end;
@@ -596,7 +607,9 @@ FMCSA GDL 40 Always use a complex, unique password per device

 FMCSA GDL 43 Always use a complex, unique password per device

-FMCSA GDL 48 Use a unique, complex password on each device, vehicle, or application",Inspection of 3rd party documentation or a demonstration by the vendor that asserts the absence of any hard-coded API keys in the client software. E.g. proof that any and all information from the backend is inaccessible without both valid user credentials and any client identifiers such as API keys.,Medium,,SCP-120 (Unique API Keys and API Passwords) - The vendor’s software shall not contain any credentials that are shared among other copies of software; e.g. the software cannot contain hardcoded API keys or API passwords,Yes,No,Yes,Yes
+FMCSA GDL 48 Use a unique, complex password on each device, vehicle, or application
+
+OWASP E4 – Securing Sensitive Information",Inspection of 3rd party documentation or a demonstration by the vendor that asserts the absence of any hard-coded API keys in the client software. E.g. proof that any and all information from the backend is inaccessible without both valid user credentials and any client identifiers such as API keys.,Medium,,SCP-120 (Unique API Keys and API Passwords) - The vendor’s software shall not contain any credentials that are shared among other copies of software; e.g. the software cannot contain hardcoded API keys or API passwords,Yes,No,Yes,Yes
 "Mobile App;
 Connectivity/Communications;
 Cloud or Back-end;
@@ -638,6 +651,8 @@ FMCSA GDL 34 Make sure the update comes from a legitimate source (authenticity).
 FMCSA GDL 35 Prevent the attacker from reinstalling a legitimate but known-vulnerable version (rollback attack).

 FMCSA GDL 36 Make sure you can revoke and replace cryptographic keys.
+
+OWASP E3 – Firmware Updates and Cryptographic Signatures
 ","Test that a) a modified update is rejected b) a modified update signed by any key other than the manufacturer is rejected c) a previous version cannot be reinstalled.

 If this facility is not in motor freight carrier control; then inspection of a report from the vendor showing tests of the above.",Medium,,SII-011 (Protecting Firmware on Devices) - The vendor shall implement/deploy secure over the air update systems including assurances of integrity&authenticity. Also rollback protections and a means of denying the use of old potentially compromised signing keys.,Yes,Yes,Yes,Yes
@@ -736,7 +751,9 @@ Implement the following controls to protect the system memory from unauthorized

 Cyber ITL Methodology – Safety Features

-FMCSA GDL 22 Leverage security controls built in to the operating system","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the presence of an array of code safety features (such as those listed in the requirement SII-070 or at the CITL safety features list). 
+FMCSA GDL 22 Leverage security controls built in to the operating system
+
+OWASP E1 – Buffer and Stack Overflow Protection","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the presence of an array of code safety features (such as those listed in the requirement SII-070 or at the CITL safety features list). 

 (rationale: measuring the presence of these mitigations requires binary analysis by experts in the subject)",High," Without any of these, exploitation is trivial","SII-070 (Protecting Firmware on Devices) - The vendor shall utilize an array of code safety features across the entire collection of executables in its devices: ASLR, DEP, CFI, Stack Guards, Fortification, and RELRO. Unless that code safety feature is not applicable on the system architecture, in which case it should be noted.",Yes,Yes,Yes,Yes
 "Mobile App;
@@ -819,7 +836,9 @@ b. Employ vulnerability monitoring tools and techniques that facilitate interope
 c. Analyze vulnerability scan reports and results from vulnerability monitoring;
 d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
 e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
-f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.","Inspection of vendor-supplied documents stating the frequency, method, and scope of vulnerability scans.",Medium,-,"SII-110 (Vulnerability Management) - The vendor conducts regular vulnerability scans of operating environment to verify software components in use have been patched according to remediation SLAs. 
+f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
+
+OWASP E10 – Third Party Code and Components","Inspection of vendor-supplied documents stating the frequency, method, and scope of vulnerability scans.",Medium,-,"SII-110 (Vulnerability Management) - The vendor conducts regular vulnerability scans of operating environment to verify software components in use have been patched according to remediation SLAs. 

 ",No,No,Yes,Yes
@@ -856,7 +875,9 @@ Require the developer of the system, system component, or system service to empl
 NIST 800-53 r5 SA-11 (7) - DEVELOPER TESTING AND EVALUATION | VERIFY SCOPE OF TESTING AND EVALUATION 
 Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].

-FMCSA GDL 2 Follow secure coding best practices.","Inspection of vendor-supplied documentation detailing their release process and quality controls.
+FMCSA GDL 2 Follow secure coding best practices.
+
+OWASP E10 – Third Party Code and Components","Inspection of vendor-supplied documentation detailing their release process and quality controls.

 Ensure that the process ensures that code is subject to static analysis prior to production release.",Medium,-,"SII-130 (Vulnerability Management) - The vendor shall verify code and best practice standards prior to deployment including:

[BenGardiner]

at the 20210614 meeting these changes were reviewed and there are some small edits required, please see below:

• regarding adding E1 xref to SII-070 -- Derek Held isn't sure they match. SII-070 is more about other apps manipulating memory. Ben asks if there is a better match though. Ben thinks that if you satisfy SII-070 then you would satisfy E1
• adding E2 to SCP-060 is reviewed. Ben doesn't think this matches . Derek proposes mapping E2 to SII-071. Derek and Ben discuss and agree that E1 can map to both SII-070 and SII-071. No objections
• adding E3 to SII-011 is reviewed. no objections . Ben & Derek think it is a near-perfect match
• adding E4 to SCP-120 and SCP-020 is reviewed. Ben isn't sure about mapping to SCP-120 which is dealing with API keys. But comes around to thinking they are OK. Derek also.
• adding E5 to AC-020. Ben thinks that's a good match. Derek agrees.
• adding E6 to CM-010. Derek thinks it is a good match. Ben thinks it also matches CM-020. Derek points out that E6 is about removal. Ben agrees: not a good enough match.
• adding E7 to CM-030. Ben and Derek think this is a good match.
• add E8 to SCP-010 is reviewed. Ben thinks it is a good match. Derek agrees.
• add E10 to SII-130 and SII-110. Ben is OK with both. The xref addition to SII-110 makes sense because it refers to external things that could be useful for fleets and vendors when thinking about continuous monitoring.