Development of Secure Embedded System

We present a mind map linking the Secure Development Lifecycle phases to the IoTSF Security Assurance Framework and Arm PSA Certified. We have added icons that represent each section of our Embedded System Security for C/C++ Developers course to the branches, to give you a better idea of what to expect on the course.

Imagemap
Secure Microcontroller-based ProductSecure Design & ArchitectureWhat needs protecting?Sensitive dataInterlectual PropertyFunctionalityReputationWho/what do you need protecting from?Threat ModellingBSIMMSTRIDEAttack TreesCommon CriteriaTarget of EvaluationProtection ProfileType of attackerMotivation for attackAttack mechanismInsider attackSide channel attackMarket (customer)Security AwarenessRequirements & ExpectationsCostRisk AssessmentAssurance LevelIoTSF SAF Class 0-4PSA Certified Level 1-3BSIMMIoT SMMCVSSSecurity GoalsPSAUnique IDSecure LifecycleAttestationSecure BootSecure UpdateAnti-RollbackIsolationInteraction across boundariesData bindingServices (crypto, etc)Safety RequirementsDefences and countermeasuresCompany levelSecurity PolicyManagement governanceChief Security OfficerSecurity FrameworkSecurity RequirementsVulnerability Handling ProcessISO 30111Vulnerability Reporting PolicyVulnerability Disclosure PolicySecurity UpdatesSupport Duration & ExpectationsIoT DevicesSBOMShared Library Vulnerability StatusTrainingMarket - CompetitorsStandards & RegulationsFrameworksIoTSF SAFMicrosoft SDLCertificationETSI-EN 303 645PSA CertifiedSecurity LevelBSIMMIoT SMMCVSSIoTSF SAFPSA CertifiedSecure supply chain & productionEncrypted design files held by 3rd party ...Process to ensure no duplicate devicesSecurely controlled area for device prov ...SBOM kept up to dateSBOM made available to customers where p ...Process to prevent IP theft, reverse eng ...Signing keys held securelyEnd-of-life disposal serviceApplication levelDesign RequirementsSecure data storageCryptographyHashesCertificatesSW AuthenticationDedicated key for signingSecure data communicationsAuthenticationUnique passwordsStrong Authentication MechanismSynchronous & Asynchronous Encryption/De ...Message ValidationKey exchange/GenerationTransport Level SecuritySecure Protocols & configurationWiFi RecommendationsSecured by TLS/DTLSNIST recommendations for TLSResilience to communications lossPermissions & PrivilegesPasswordsNo blank/default passwordStrong passwordProtectionReset/RevocationLeast PrivilegeTrustDefinition & DocumentationStandard Security PrinciplesSecurity LevelAppropriate cryptographic functionsAppropriate key lengthSub-system Key ManagementWeb User InterfaceSecure, authenticated accessAutomatic idle logoutStrong password securityVulnerability assessmentValidated input & output dataSecure admin interfaceSensitive communications encryptedSecure coding techniques appliedSimple interface for security updateMobile ApplicationUnique, Strong & Secure PasswordSecure communication with serverValidated input & output dataSecure admin interfaceSecure coding techniques appliedSimple interface for security updateAuthenticated access onlyPrivacy (Personal Information)Minimize details storedData is encryptedAccess to data controlledAnonymise where possibleData retention policyData reporting/validation processStandard-complient (e.g. GDPR)Clear end-user instructionsNo unauthorized data collectionCloud & Network ElementsMaintained security updatesValid TLS certificatesTLS renegotiation disabledUnused IP ports disabledmTLS requires trusted client certificateCertificate pinning with TLSPasswords follow best practiceProtection against brute force attackAccess control measures enforcedCloud services meet current industry sta ...Safety-critical services ensure continui ...Input data validationCommunications with cloud secure & encry ...Controlled access to device ditigal twin ...Key exchange required for device to acce ...Cloud service databases encrypted & acce ...Connections monitored for malicious acti ...ConfigurationSecure storage for parametersSecure update should remove redundant pa ...Manufacturer guidance for secure configu ...Secure UpdateSelf-check for UpdatesPlatform levelSecure SW ArchitecturePrivileged & non-privileged processesLeast possible privilegeSecure & non-secure modesSW AuthenticationDedicated key for signingIsolationPhysical separationTrustzoneSW Attack MitigationsWatchdogAnti-RollbackServices (API)Access control (passwords)Not hard-codedSecure commsAttestationSecure StorageClean-after-use PolicyNo hard-coded security parametersCryptoNo weak or deprecated functionsAppropriate StrengthSecure UpdatePartial UpdatesPostponed UpdateUpdate AuthenticationSecure HW ArchitectureUnique IDSilicon IDOTP ROMPUFSecure storageEncrypted memoryKey/Certificate storageIsolated On-Chip MemorySecure ElementTPMHSMCrypto accelerator for real-time code de ...Clear-after-use PolicyRandomizationPUFTrue Random Number GeneratorCrypto engineHW Root-of-TrustAttestationSecure BootSecure UpdateAnti-RollbackExecutable Memory ProtectionMPUTrustzoneHW Attack MitigationsIoTSF Best Practice GuidesValidated RTCSecure MCUsMulti-corePSoC6Azure SphereArmv8-MSAUIDAUSecure GatewaySecure SP, SysTick, etcImplementationSecure SoftwareSW Engineering Best PracticeApproved Coding StandardsBuild processNo hard-coded parametersSecure codingCVE/CWECERT CMISRA CStatic AnalysisSecure PlatformSecure InterfacesClose unused portsUnused protocols/services disabledVerificationDynamic AnalysisUnit testsFuzz TestingMaintenance Update TestingReleaseFinal Security ReviewPenetration TestingSimple/Differential Power Analysis Attac ...Reverse EngineeringManufactureProvisioning keys/certificatesKey access controlKeys for UpdatesSecure Provisioning ProcessCode encryption & signingClean codeRemoval of symbols, debug & test codeRemoval of sensitive dataPhysical securityLocking JTAG/DebugTamper detectionUnused ports secureProduction testingProcessor only run from secure bootRoT ID authenticated by authorised agentRoT ID logged throughout supply chainClone detection & removalCertificationPSE CertifiedFIPS 140-3ETSI EN 303-645ETSI TS 103-701NIST 8259ASESIPRuntime Defence & MonitoringVulnerability Disclosure ProgramVulnerability ResponseCommunication Protocol UpgradesSecure UpdateReplacement where update not possibleSecure DebugAttack RecoveryReturn to known good stateTamper DetectionWatchdog TimerSecure Disposal/Transfer of OwnershipDeletion of sensitve dataManufacturer procedure documentationGDPRKeys & CertificatesFinancialReverse engineering preventionDecommission/Recommission processSecure device registrationUser identity protectionPrevious user data/settings erasedUnauthorised reuse
hide
Secure Microcontroller-based Product
hideintro
Secure Design & Architecture
hideintro
What needs protecting?
leafintro
Sensitive data
leafintro
Interlectual Property
leafintro
Functionality
leafintro
Reputation
hideintro
Who/what do you need protecting from?
hidesw_dev
Threat Modelling
Attributes
NameValue
IoTSF SAF2.4.3.6
IoTSF SAF2.4.3.10
PSAThreat Models & Security Analysis
Microsoft SDLPractice #4
leafsw_dev
BSIMM
leafsw_dev
STRIDE
leafsw_dev
Attack Trees
hidesw_dev
Common Criteria
leafsw_dev
Target of Evaluation
leafsw_dev
Protection Profile
leafsw_dev
Type of attacker
leafsw_dev
Motivation for attack
hideSW_Arch
Attack mechanism
leaf
Insider attack
leafSW_Arch
Side channel attack
hideintro
Market (customer)
leaf
Security Awareness
leaf
Requirements & Expectations
leaf
Cost
hideintro
Risk Assessment
hideSW_Arch
Assurance Level
leaf
IoTSF SAF Class 0-4
Attributes
NameValue
IoTSF SAF2.2
leafTesting
PSA Certified Level 1-3
leafsw_dev
BSIMM
leafsw_dev
IoT SMM
leafsw_dev
CVSS
hideintro
Security Goals
Attributes
NameValue
Microsoft SDLPractice #2
hideintro sw_dev
PSA
Attributes
NameValue
PSASecurity Model Goals
leaf
Unique ID
leaf
Secure Lifecycle
leaf
Attestation
leaf
Secure Boot
leaf
Secure Update
leaf
Anti-Rollback
leaf
Isolation
leaf
Interaction across boundaries
leaf
Data binding
leaf
Services (crypto, etc)
leaf
Safety Requirements
Attributes
NameValue
IoTSF SAF2.4.5.24
hideintro
Defences and countermeasures
hide
Company level
hide
Security Policy
hide
Management governance
Attributes
NameValue
IoTSF SAF2.4.3
leaf
Chief Security Officer
Attributes
NameValue
IoTSF SAF2.4.3.1
IoTSF SAF2.4.3.2
leaf
Security Framework
Attributes
NameValue
IoTSF SAF2.4.3.4
leaf
Security Requirements
Attributes
NameValue
Microsoft SDLPractice #2
hide
Vulnerability Handling Process
Attributes
NameValue
Microsoft SDLPractice #12
leaf
ISO 30111
Attributes
NameValue
IoTSF SAF2.4.3.17
leaf
Vulnerability Reporting Policy
Attributes
NameValue
IoTSF SAF2.4.3.5
IoTSF SAF2.4.3.21
Microsoft SDLPractice #3
leaf
Vulnerability Disclosure Policy
Attributes
NameValue
IoTSF SAF2.4.3.7-9
IoTSF SAF2.4.3.11-16
hide
Security Updates
Attributes
NameValue
IoTSF SAF2.4.3.18-20
IoTSF SAF2.4.3.22-23
IoTSF SAF2.4.3.25
IoTSF SAF2.4.3.29
leaf
Support Duration & Expectations
Attributes
NameValue
IoTSF SAF2.4.5.36
leaf
IoT Devices
Attributes
NameValue
IoTSF SAF2.4.5.39
hide
SBOM
Attributes
NameValue
IoTSF SAF2.4.3.24
IoTSF SAF2.4.3.26-28
Microsoft SDLPractice #7
leaf
Shared Library Vulnerability Status
Attributes
NameValue
IoTSF SAF2.4.5.37
leaf
Training
Attributes
NameValue
Microsoft SDLPractice #1
leaf
Market - Competitors
hide
Standards & Regulations
hide
Frameworks
leaf
IoTSF SAF
leafsw_dev
Microsoft SDL
hide
Certification
leafTesting
ETSI-EN 303 645
leafTesting
PSA Certified
hide
Security Level
leafsw_dev
BSIMM
leafsw_dev
IoT SMM
leafsw_dev
CVSS
leaf
IoTSF SAF
leaf
PSA Certified
hideTesting
Secure supply chain & production
Attributes
NameValue
IoTSF SAF2.4.14
leaf
Encrypted design files held by 3rd party Escrow service
Attributes
NameValue
IoTSF SAF2.4.14.2
leaf
Process to ensure no duplicate devices
Attributes
NameValue
IoTSF SAF2.4.14.3-4
leaf
Securely controlled area for device provisioning
Attributes
NameValue
IoTSF SAF2.4.14.6
leaf
SBOM kept up to date
Attributes
NameValue
IoTSF SAF2.4.14.8
leaf
SBOM made available to customers where possible
Attributes
NameValue
IoTSF SAF2.4.14.25
leaf
Process to prevent IP theft, reverse engineering and production of unauthorised devices
Attributes
NameValue
IoTSF SAF2.4.14.15-18
IoTSF SAF2.4.14.22
leaf
Signing keys held securely
Attributes
NameValue
IoTSF SAF2.4.14.19
leaf
End-of-life disposal service
Attributes
NameValue
IoTSF SAF2.4.14.23-24
hide
Application level
leaf
Design Requirements
Attributes
NameValue
Microsoft SDLPractice #5
hide
Secure data storage
leafcrypto
Cryptography
leafcrypto
Hashes
leafcrypto2
Certificates
hideTesting
SW Authentication
Attributes
NameValue
IoTSF SAF2.4.5.1
leaf
Dedicated key for signing
Attributes
NameValue
IoTSF SAF2.4.9.8
hide
Secure data communications
Attributes
NameValue
IoTSF SAF2.4.7
hide
Authentication
leaf
Unique passwords
Attributes
NameValue
IoTSF SAF2.4.7.7
leafTLS
Strong Authentication Mechanism
Attributes
NameValue
IoTSF SAF2.4.7.8
leafcrypto2
Synchronous & Asynchronous Encryption/Decryption
leafcrypto2
Message Validation
leafcrypto2
Key exchange/Generation
Attributes
NameValue
IoTSF SAF2.4.7.11
leafTLS
Transport Level Security
Attributes
NameValue
IoTSF SAF2.4.5.21
hideTLS
Secure Protocols & configuration
Attributes
NameValue
IoTSF SAF2.4.7.2
IoTSF SAF2.4.7.4
leafTLS
WiFi Recommendations
Attributes
NameValue
IoTSF SAF2.4.7.10-11
leafTLS
Secured by TLS/DTLS
Attributes
NameValue
IoTSF SAF2.4.7.13-14
leafTLS
NIST recommendations for TLS
Attributes
NameValue
IoTSF SAF2.4.7.15
IoTSF SAF2.4.7.19
leaf
Resilience to communications loss
Attributes
NameValue
IoTSF SAF2.4.7.17
IoTSF SAF2.4.7.25
hide
Permissions & Privileges
Attributes
NameValue
IoTSF SAF2.4.8
hide
Passwords
leafTesting
No blank/default password
Attributes
NameValue
IoTSF SAF2.4.8.2-4
leaf
Strong password
Attributes
NameValue
IoTSF SAF2.4.8.5-6
leaf
Protection
Attributes
NameValue
IoTSF SAF2.4.8.7-9
IoTSF SAF2.4.8.15
leaf
Reset/Revocation
Attributes
NameValue
IoTSF SAF2.4.8.12-14
IoTSF SAF2.4.8.16
leafSW_Arch
Least Privilege
leaf
Trust
leaf
Definition & Documentation
Attributes
NameValue
IoTSF SAF2.4.8.10
hide
Standard Security Principles
hide
Security Level
leafcrypto
Appropriate cryptographic functions
Attributes
NameValue
IoTSF SAF2.4.9.6
Microsoft SDLPractice #6
leafcrypto
Appropriate key length
Attributes
NameValue
IoTSF SAF2.4.9.10
leaf
Sub-system Key Management
Attributes
NameValue
IoTSF SAF2.4.9.11
hide
Web User Interface
Attributes
NameValue
IoTSF SAF2.4.10
leafHW_Arch
Secure, authenticated access
Attributes
NameValue
IoTSF SAF2.4.10.1-4
leaf
Automatic idle logout
Attributes
NameValue
IoTSF SAF2.4.10.5
leaf
Strong password security
Attributes
NameValue
IoTSF SAF2.4.10.6-7
IoTSF SAF2.4.10.17
leaf
Vulnerability assessment
Attributes
NameValue
IoTSF SAF2.4.10.9
leaf
Validated input & output data
Attributes
NameValue
IoTSF SAF2.4.10.10
IoTSF SAF2.4.10.12
IoTSF SAF2.4.10.15
leaf
Secure admin interface
Attributes
NameValue
IoTSF SAF2.4.10.13
leafcrypto
Sensitive communications encrypted
Attributes
NameValue
IoTSF SAF2.4.10.19
leafsecure_c
Secure coding techniques applied
Attributes
NameValue
IoTSF SAF2.4.10.16
leaf
Simple interface for security update
Attributes
NameValue
IoTSF SAF2.4.10.18
hide
Mobile Application
Attributes
NameValue
IoTSF SAF2.4.11
leaf
Unique, Strong & Secure Password
Attributes
NameValue
IoTSF SAF2.4.11.1-2
IoTSF SAF2.4.11.5-6
leafTLS
Secure communication with server
Attributes
NameValue
IoTSF SAF2.4.11.4
IoTSF SAF2.4.11.13
leaf
Validated input & output data
Attributes
NameValue
IoTSF SAF2.4.11.9
leaf
Secure admin interface
Attributes
NameValue
IoTSF SAF2.4.11.8
leafsecure_c
Secure coding techniques applied
Attributes
NameValue
IoTSF SAF2.4.11.10
leaf
Simple interface for security update
Attributes
NameValue
IoTSF SAF2.4.11.11
leafTLS
Authenticated access only
Attributes
NameValue
IoTSF SAF2.4.11.12
hide
Privacy (Personal Information)
Attributes
NameValue
IoTSF SAF2.4.12
leafSW_Arch
Minimize details stored
Attributes
NameValue
IoTSF SAF2.4.12.1
leafcrypto
Data is encrypted
Attributes
NameValue
IoTSF SAF2.4.12.2
leafSW_Arch
Access to data controlled
Attributes
NameValue
IoTSF SAF2.4.12.3
leaf
Anonymise where possible
Attributes
NameValue
IoTSF SAF2.4.12.4
leaf
Data retention policy
Attributes
NameValue
IoTSF SAF2.4.12.5
leaf
Data reporting/validation process
Attributes
NameValue
IoTSF SAF2.4.12.6-7
leaf
Standard-complient (e.g. GDPR)
Attributes
NameValue
IoTSF SAF2.4.12.8
IoTSF SAF2.4.12.15
leaf
Clear end-user instructions
Attributes
NameValue
IoTSF SAF2.4.12.9-13
leaf
No unauthorized data collection
Attributes
NameValue
IoTSF SAF2.4.12.14
hide
Cloud & Network Elements
Attributes
NameValue
IoTSF SAF2.4.13
leaf
Maintained security updates
Attributes
NameValue
IoTSF SAF2.4.13.1
IoTSF SAF2.4.13.5-6
leafTLS
Valid TLS certificates
Attributes
NameValue
IoTSF SAF2.4.13.4
leaf
TLS renegotiation disabled
Attributes
NameValue
IoTSF SAF2.4.13.7
leaf
Unused IP ports disabled
Attributes
NameValue
IoTSF SAF2.4.13.8
leafTLS
mTLS requires trusted client certificate
Attributes
NameValue
IoTSF SAF2.4.13.9
leaf
Certificate pinning with TLS
Attributes
NameValue
IoTSF SAF2.4.13.10
leafsecure_rules
Passwords follow best practice
Attributes
NameValue
IoTSF SAF2.4.13.11-14
leaf
Protection against brute force attack
Attributes
NameValue
IoTSF SAF2.4.13.15
leaf
Access control measures enforced
Attributes
NameValue
IoTSF SAF2.4.13.16-18
leaf
Cloud services meet current industry standards
Attributes
NameValue
IoTSF SAF2.4.13.19
leaf
Safety-critical services ensure continuity and availability
Attributes
NameValue
IoTSF SAF2.4.13.21
leaf
Input data validation
Attributes
NameValue
IoTSF SAF2.4.13.22
leafTLS
Communications with cloud secure & encrypted
Attributes
NameValue
IoTSF SAF2.4.13.23-24
IoTSF SAF2.4.13.34-35
leaf
Controlled access to device ditigal twin in cloud
Attributes
NameValue
IoTSF SAF2.4.13.25
leafcrypto2
Key exchange required for device to access cloud services
Attributes
NameValue
IoTSF SAF2.4.13.26-27
leaf
Cloud service databases encrypted & access restricted
Attributes
NameValue
IoTSF SAF2.4.13.28-32
leaf
Connections monitored for malicious activity
Attributes
NameValue
IoTSF SAF2.4.13.33
IoTSF SAF2.4.13.36
hide
Configuration
Attributes
NameValue
IoTSF SAF2.4.15
leafHW_Arch
Secure storage for parameters
Attributes
NameValue
IoTSF SAF2.4.15.1
leaf
Secure update should remove redundant parameters
Attributes
NameValue
IoTSF SAF2.4.15.2
leaf
Manufacturer guidance for secure configuration
Attributes
NameValue
IoTSF SAF2.4.15.3
hide
Secure Update
leafSW_Arch
Self-check for Updates
Attributes
NameValue
IoTSF SAF2.4.5.41
hide
Platform level
hide
Secure SW Architecture
Attributes
NameValue
IoTSF SAF2.4.5
IoTSF SAF2.4.6
hideSW_Arch
Privileged & non-privileged processes
Attributes
NameValue
IoTSF SAF2.4.5.15
leafSW_Arch
Least possible privilege
Attributes
NameValue
IoTSF SAF2.4.6.9
IoTSF SAF2.4.6.13
leafSW_Arch
Secure & non-secure modes
Attributes
NameValue
IoTSF SAF2.4.6.11
PSAInteraction over boundaries
hidecrypto2
SW Authentication
Attributes
NameValue
IoTSF SAF2.4.5.1
leaf
Dedicated key for signing
Attributes
NameValue
IoTSF SAF2.4.9.8
hideSW_Arch
Isolation
Attributes
NameValue
IoTSF SAF2.4.6.12
PSAIsolation
leaf
Physical separation
leaf
Trustzone
hide
SW Attack Mitigations
leaf
Watchdog
Attributes
NameValue
IoTSF SAF2.4.5.6
leafsw_dev SW_Arch
Anti-Rollback
Attributes
NameValue
IoTSF SAF2.4.5.8
PSAAnti-Rollback
hide
Services (API)
Attributes
NameValue
PSAServices
hide
Access control (passwords)
leaf
Not hard-coded
Attributes
NameValue
IoTSF SAF2.4.6.5
leaf
Secure comms
leaf
Attestation
Attributes
NameValue
PSAAttestation API
hideSW_Arch
Secure Storage
Attributes
NameValue
PSAProtected Storage API
leaf
Clean-after-use Policy
Attributes
NameValue
IoTSF SAF2.4.5.33-34
leaf
No hard-coded security parameters
Attributes
NameValue
IoTSF SAF2.4.5.40
hide
Crypto
Attributes
NameValue
PSACryptography API
leafcrypto
No weak or deprecated functions
Attributes
NameValue
IoTSF SAF2.4.9.5
leafcrypto
Appropriate Strength
Attributes
NameValue
IoTSF SAF2.4.9.6
hideSW_Arch
Secure Update
Attributes
NameValue
PSASecure Update API
IoTSF SAF2.4.5.2-4
leaf
Partial Updates
Attributes
NameValue
IoTSF SAF2.4.5.25-26
leaf
Postponed Update
Attributes
NameValue
IoTSF SAF2.4.5.27
leafcrypto2
Update Authentication
Attributes
NameValue
IoTSF SAF2.4.5.29-30
hide
Secure HW Architecture
Attributes
NameValue
IoTSF SAF2.4.4
hideHW_Arch
Unique ID
Attributes
NameValue
IoTSF SAF2.4.8.1
PSAUnique ID
IoTSF SAF2.4.8.18
leaf
Silicon ID
leaf
OTP ROM
leaf
PUF
hideHW_Arch
Secure storage
Attributes
NameValue
IoTSF SAF2.4.9
leafHW_Arch
Encrypted memory
hideHW_Arch
Key/Certificate storage
Attributes
NameValue
IoTSF SAF2.4.9.7
leaf
Isolated On-Chip Memory
hideHW_Arch
Secure Element
leafHW_Arch
TPM
leafHW_Arch
HSM
leafHW_Arch
Crypto accelerator for real-time code decryption
leaf
Clear-after-use Policy
Attributes
NameValue
IoTSF SAF2.4.5.34
hidecrypto
Randomization
Attributes
NameValue
IoTSF SAF2.4.4.17
leafHW_Arch
PUF
leafHW_Arch
True Random Number Generator
Attributes
NameValue
IoTSF SAF2.4.9.2
leafHW_Arch
Crypto engine
leafHW_Arch
HW Root-of-Trust
Attributes
NameValue
IoTSF SAF2.4.4.2
IoTSF SAF2.4.5.7
leafHW_Arch
Attestation
Attributes
NameValue
PSAAttestation
leafHW_Arch
Secure Boot
Attributes
NameValue
IoTSF SAF2.4.4.1-4
PSASecure Boot
leafHW_Arch
Secure Update
Attributes
NameValue
PSASecure Update
leafHW_Arch
Anti-Rollback
Attributes
NameValue
PSAAnti-Rollback
hideHW_Arch
Executable Memory Protection
Attributes
NameValue
IoTSF SAF2.4.4.18
leaf
MPU
leafHW_Arch
Trustzone
hideHW_Arch
HW Attack Mitigations
Attributes
NameValue
IoTSF SAF2.4.5.12
leaf
IoTSF Best Practice Guides
leafHW_Arch
Validated RTC
Attributes
NameValue
IoTSF SAF2.4.8.2
hideHW_Arch
Secure MCUs
Attributes
NameValue
PSAIsolation
hideHW_Arch
Multi-core
leaf
PSoC6
leaf
Azure Sphere
hideHW_Arch
Armv8-M
leafHW_Arch
SAU
leafHW_Arch
IDAU
leaf
Secure Gateway
leaf
Secure SP, SysTick, etc
hideintro
Implementation
hide
Secure Software
hidesecure_c
SW Engineering Best Practice
Attributes
NameValue
IoTSF SAF2.4.5.13
leafsecure_rules
Approved Coding Standards
leaf
Build process
Attributes
NameValue
IoTSF SAF2.4.5.16-18
Microsoft SDLPractice #8
leaf
No hard-coded parameters
Attributes
NameValue
IoTSF SAF2.4.5.40
hidesecure_rules
Secure coding
leafsecure_rules
CVE/CWE
leafsecure_rules
CERT C
leafsecure_rules
MISRA C
leafsecure_rules
Static Analysis
Attributes
NameValue
IoTSF SAF2.4.5.14
Microsoft SDLPractice #9
leaf
Secure Platform
hide
Secure Interfaces
leafHW_Arch
Close unused ports
Attributes
NameValue
IoTSF SAF2.4.7.6
leafHW_Arch
Unused protocols/services disabled
Attributes
NameValue
IoTSF SAF2.4.7.18
hideintro
Verification
hideTesting
Dynamic Analysis
Attributes
NameValue
Microsoft SDLPractice #10
leafTesting
Unit tests
leafTesting
Fuzz Testing
Attributes
NameValue
IoTSF SAF2.4.5.23
leaf
Maintenance Update Testing
Attributes
NameValue
IoTSF SAF2.4.5.38
hideintro
Release
hidesw_dev
Final Security Review
leafTesting
Penetration Testing
Attributes
NameValue
Microsoft SDLPractice #11
leafTesting
Simple/Differential Power Analysis Attacks
leafTesting
Reverse Engineering
Attributes
NameValue
IoTSF SAF2.4.4.8
hide
Manufacture
hidecrypto2
Provisioning keys/certificates
Attributes
NameValue
IoTSF SAF2.4.4.14
IoTSF SAF2.4.14.9
leaf
Key access control
Attributes
NameValue
IoTSF SAF2.4.5.19-20
leaf
Keys for Updates
Attributes
NameValue
IoTSF SAF2.4.5.32
leafTesting
Secure Provisioning Process
Attributes
NameValue
IoTSF SAF2.4.9.3-4
IoTSF SAF2.4.9.9
leafcrypto2
Code encryption & signing
Attributes
NameValue
IoTSF SAF2.4.4.13
IoTSF SAF2.4.5.9
hide
Clean code
leaf
Removal of symbols, debug & test code
Attributes
NameValue
IoTSF SAF2.4.5.10-11
IoTSF SAF2.4.14.1
leaf
Removal of sensitive data
Attributes
NameValue
IoTSF SAF2.4.5.12
hide
Physical security
leafHW_Arch
Locking JTAG/Debug
Attributes
NameValue
IoTSF SAF2.4.4.5
IoTSF SAF2.4.4.10
leafHW_Arch
Tamper detection
Attributes
NameValue
IoTSF SAF2.4.4.6-7
leafHW_Arch
Unused ports secure
Attributes
NameValue
IoTSF SAF2.4.4.9
hide
Production testing
leafHW_Arch
Processor only run from secure boot
Attributes
NameValue
IoTSF SAF2.4.14.5
leaf
RoT ID authenticated by authorised agent
Attributes
NameValue
IoTSF SAF2.4.14.10
leaf
RoT ID logged throughout supply chain
Attributes
NameValue
IoTSF SAF2.4.14.12
leaf
Clone detection & removal
Attributes
NameValue
IoTSF SAF2.4.14.3
hideTesting
Certification
leafsw_dev
PSE Certified
Attributes
NameValue
PSAThreat Models & Security Analysis
leaf
FIPS 140-3
hideTesting
ETSI EN 303-645
leaf
ETSI TS 103-701
leafTesting
NIST 8259A
leafTesting
SESIP
hideintro
Runtime Defence & Monitoring
leaf
Vulnerability Disclosure Program
hide
Vulnerability Response
Attributes
NameValue
Microsoft SDLPractice #12
leaf
Communication Protocol Upgrades
Attributes
NameValue
IoTSF SAF2.4.7.20
hideHW_Arch
Secure Update
leaf
Replacement where update not possible
Attributes
NameValue
IoTSF SAF2.4.5.22
leaf
Secure Debug
hide
Attack Recovery
leaf
Return to known good state
Attributes
NameValue
IoTSF SAF2.4.8.17
leafHW_Arch
Tamper Detection
Attributes
NameValue
IoTSF SAF2.4.4.11
leafHW_Arch
Watchdog Timer
Attributes
NameValue
IoTSF SAF2.4.4.15
hideintro
Secure Disposal/Transfer of Ownership
Attributes
NameValue
IoTSF SAF2.4.16
hide
Deletion of sensitve data
Attributes
NameValue
IoTSF SAF2.4.5.35
IoTSF SAF2.4.12.11
leaf
Manufacturer procedure documentation
Attributes
NameValue
IoTSF SAF2.4.16.1-2
leaf
GDPR
leaf
Keys & Certificates
leaf
Financial
leafTesting
Reverse engineering prevention
Attributes
NameValue
IoTSF SAF2.4.4.8
IoTSF SAF2.4.4.13
IoTSF SAF2.4.16.3
leaf
Decommission/Recommission process
Attributes
NameValue
IoTSF SAF2.4.16.4
hide
Secure device registration
Attributes
NameValue
IoTSF SAF2.4.16.5
leaf
User identity protection
Attributes
NameValue
IoTSF SAF2.4.16.6
leaf
Previous user data/settings erased
Attributes
NameValue
IoTSF SAF2.4.16.7
leaf
Unauthorised reuse