AgentSkillsCN

owasp-iot-top-10

OWASP Kubernetes安全十大风险——聚焦于Kubernetes集群与工作负载的安全防护、检测与修复。适用于K8s工作负载与集群的设计与评审:包括工作负载配置、供应链安全、RBAC权限控制、策略执行、日志记录、身份认证、网络分段、机密信息管理、集群组件防护,以及易受攻击的组件治理。

SKILL.md
--- frontmatter
name: owasp-iot-top-10
description: "OWASP IoT Top 10 - prevention, detection, and remediation for IoT device and ecosystem security. Use when designing or reviewing IoT devices - passwords, network services, ecosystem interfaces, secure updates, components, data transfer/storage, device management, default settings, physical hardening, privacy."

OWASP IoT Top 10

This skill encodes the OWASP IoT Top 10 for secure IoT device and ecosystem design and review. References are loaded per risk. Based on OWASP IoT Top 10 2018.

When to Read Which Reference

RiskRead
I1 Weak, Guessable, or Hardcoded Passwordsreferences/i1-weak-passwords.md
I2 Insecure Network Servicesreferences/i2-insecure-network-services.md
I3 Insecure Ecosystem Interfacesreferences/i3-insecure-ecosystem-interfaces.md
I4 Lack of Secure Update Mechanismreferences/i4-secure-update-mechanism.md
I5 Using Insecure or Outdated Componentsreferences/i5-outdated-components.md
I6 Insecure Data Transfer and Storagereferences/i6-insecure-data-transfer-storage.md
I7 Absence of Device Managementreferences/i7-device-management.md
I8 Insecure Default Settingsreferences/i8-insecure-default-settings.md
I9 Lack of Physical Hardeningreferences/i9-physical-hardening.md
I10 Insufficient Privacy Protectionreferences/i10-privacy-protection.md

Quick Patterns

  • Eliminate default/hardcoded passwords; use secure update with signing; minimize exposed network services. Encrypt data in transit and at rest; support device lifecycle and decommissioning. Harden physically and protect user privacy.

Quick Reference / Examples

TaskApproach
Eliminate default passwordsForce password change on first use; generate unique per-device. See I1.
Secure updatesSign firmware, verify before install, support rollback. See I4.
Minimize attack surfaceDisable unused services, close unnecessary ports. See I2.
Encrypt dataTLS for transit, AES for storage, secure key storage. See I6.
Physical hardeningDisable debug interfaces (JTAG/UART), tamper detection. See I9.

Safe - firmware signature verification (pseudocode):

c
bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
    // Verify Ed25519 signature with embedded public key
    return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true

Unsafe - no update verification:

c
void install_firmware(uint8_t* firmware) {
    flash_write(firmware);  // No signature check - accepts malicious updates
}

Unique per-device credentials (manufacturing):

python
# During manufacturing, generate and store unique credentials
device_password = secrets.token_urlsafe(16)
store_in_secure_element(device_id, device_password)

Workflow

Load the reference for the risk you are addressing. See OWASP IoT Top 10 for the official list.