Modernize tools, integrated ISTG ISVS, remove commercial refs, and added a SAST section #15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
…section Major updates: - Binwalk v3 Rust rewrite notes and performance guidance - EMBA SBOM generation capabilities (2024 update) - Comprehensive SBOM methodology subsection - C/C++ SAST tools (Cppcheck, Flawfinder, Clang-Tidy, CodeQL, Semgrep) - Memory corruption & command injection vulnerability focus - CVE examples spanning consumer SOHO routers to enterprise (Cisco IOS XE) Policy compliance: - Removed deprecated links (LGTM shut down 2022) - Removed all commercial tool references (IDA Pro, Binary Ninja, etc.) - Replaced with FOSS alternatives (Ghidra, Radare2, Rizin, Cutter) Cleanup: - Removed 5 unused screenshot files (0,1,2,5,6.png) - Updated U-Boot URL to current documentation site - Replaced commercial bug trackers with open platforms
Enhanced FSTM with OWASP IoT Security Verification Standard (ISVS) references to support requirements-driven firmware security assessments: - Introduction: Added ISVS context alongside ISTG in methodology overview - IoT Frameworks Section: Retitled from "Integrating FSTM with OWASP ISTG" to "Integrating FSTM with OWASP IoT Security Frameworks" - ISVS Subsection: Added comprehensive guidance on using ISVS requirements to drive FSTM testing scope - Requirements → Testing → Verification workflow diagram - Mapping table: ISVS V3/V4 requirements to FSTM stages - Security levels (L1/L2/L3) to FSTM testing depth guidance - Example requirements-driven assessment workflow - Key ISVS requirements for firmware testing (V1.1.1, V3.2.2, V3.4.1, V4.1.1, V4.2.1) - SBOM Section: Added ISVS V1.1.1 requirement reference for SBOM compliance verification ISVS complements FSTM by defining WHAT security controls must be implemented (requirements), while FSTM defines HOW to test firmware components (methodology). This integration enables compliance-driven firmware assessments with clear success criteria.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Enhanced FSTM with OWASP ISTG and ISVS references to support requirements-driven firmware security assessments:
Major updates: