david-a-wheeler
commented
1 year ago Make sure we note the value of compile-time options to reduce risks (in general).
Open david-a-wheeler opened 1 year ago
david-a-wheeler
commented
1 year ago Make sure we note the value of compile-time options to reduce risks (in general).
Make it clear that this material applies to embedded software (as well as cloud, server-side apps, client-side apps, mobile apps, etc.), and add any material that might be needed.
I reviewed the OWASP materials here: https://scriptingxss.gitbook.io/embedded-appsec-best-practices/
We already cover practically all of it. However, there is one embedded issue that we don't fully cover: "Firmware Updates and Cryptographic Signatures": https://scriptingxss.gitbook.io/embedded-appsec-best-practices/3_firmware_updates_and_cryptographic_signatures
We might also want to add some info from the Linux kernel self-protection work: https://www.kernel.org/doc/html/next/security/self-protection.html
We should cover that, then make it clear we're covering all kinds of software. We don't cover kernels as much, but most of the fundamentals still apply, so maybe we should instead go for "all software".