Detect & Response set of requirements missing #86
Comments
- Fixed a small typo - Removed 4.5.5 as this is a general requirement that does not apply to LoRaWan only. Currently this is not covered by the ISVS, as such I've created a new issue OWASP#86 so that we don't forget about this. - Removed 4.5.7. Jamming protection/detection is covered in 4.1.4 - Changed the numbering to account for the removal of 4.5.5 Even though 4.5.2, 4.5.3, 4.5.4 and 4.5.5 are already covered by other requirements, I've opted to not remove them as they are very important to, and tailored to LoRaWan networks. Thank you for your contribution!
|
DnR operations should be out of scope IMO. Widening the scope to include processes and operational procedures that vary based on the organization typically have reliance on compliance program requirements but also internal mandates based on incidents. Perhaps im missing the intention. Feel to clarify :)
A best practice is to design with cryptographic agility including a plan that incorporates root key compromise and rotation of those. IoT platforms can provide this capability to remotely update key sets when incidents occur or as part of a rotation policy through OTA. Side note: We should add the following Lorawan security FAQ reference: https://resources.lora-alliance.org/faq/lorawan-security-faq Re: 4.5.8 |
The ISVS currently does not cover security requirements related to detecting and responding to security incidents.
Example requirement that's missing: Verify that an appropriate response strategy is in place in case an end device's root keys are compromised, given that root keys cannot be remotely updated.
Other example of a requirement that exists but could be generalized:
| 4.5.8 | Verify that users can obtain an overview of paired devices to validate that they are legitimate (for example, by comparing the MAC addresses of connected devices to the expected ones). | | | ✓ |
The text was updated successfully, but these errors were encountered: