Our Goals for the "Internet of Things"

FOCUS effort towards crowd-funded, small commercial and bootstrapped vendors
BUILD partnerships and goodwill between IoT vendors and the security community
COORDINATE efforts to incentivize security researchers for reporting vulnerabilities
CURATE informational resources to help educate vendors on security best practices
PRESENT research at relevant events and be a point of contact for press inquiries
BuildItSecure.ly Logo

Vendors Participating With BuildItSecure.ly

Pinoccio

Pinoccio is a complete toolkit for building the Internet of Things. Makers, Software Developers, and Product Designers can use the tiny microcontroller to quickly prototype ideas. It has mesh networking and wireless web connectivity baked right in. Pair that with the REST API and web app, and you have an end-to-end system that works right out of the box.
Dropcam

Dropcam is a cloud-based video monitoring service with free live HD streaming, two-way talk and mobile apps that makes it easy to stay connected to places, people and pets, no matter where you are. Featuring automatic updates, stream sharing, location awareness and optional Cloud Recording, Dropcam has redefined home monitoring and do-it-yourself security.
Zendo

Zendo is a South Florida-based technology company that creates, designs, and manufactures simple devices for custom home monitoring and control, as well as best-in-class apps and services. Zendo products will be available at leading retailers worldwide in 2015.
DipJar

DipJar is the first-ever tip jar and donation box for credit and debit cards, a hardware/software solution for one-step collection and seamless disbursement of electronic gratuities.
Belkin

From wireless home networking and entertainment, to mobile accessories, energy management, and an extensive range of cables, Belkin products enhance the technology that connects us to the people, activities and experiences we love...
Wink

With Wink, building a smart home using devices from your favorite brands is easier than ever. Before you know it, your home will be doing things you never thought possible with simple controls to monitor and manage devices.
ITUS Networks

ITUS Networks is a security company based in Silicon Valley that makes a small form factor network appliance to protect homes and small businesses from cyber attacks. Our powerful yet affordable network security appliances protect a wide variety of internet enabled devices from exploits, malware, and other nasty things online.

We've Partnered With Bugcrowd!

Bugcrowd
Vendors of "Things"
Be connected with regarded security researchers
Gain crucial insight about your device's security
Coordinate the disclosure of bugs reported to you
Show consumers that you take security seriously
Participate for free and reward researchers who help
Security Researchers
Get access to pre-production hardware to assess
Work on fun and important security research projects
Have a direct path to work with vendors who care
Stop worrying about legal threats for doing research
Potentially receive rewards for the bugs you find

Featured Security Researchers

Mark Stanislav
Mark Stanislav
Rapid7
Zach Lanier
Zach Lanier
Accuvant LABS
Stephan Chenette
Stephan Chenette
AttackIQ
Cesar Cerrudo
Cesar Cerrudo
IOActive
Andy Davis
Andy Davis
NCC Group
Stephen A. Ridley
Stephen A. Ridley
Xipiter
Chris Czub
Chris Czub
Duo Security
Brian Knopf
Brian Knopf
BRK Security
Amir Etemadieh
Amir Etemadieh
Accuvant LABS

Building an IoT Device and Don't Know Where to Start?

Presentation Slide Decks
Internet of Things
The Internet of Things: We've Got to Chat (Mark Stanislav & Zach Lanier)
This presentation will examine some of the recent failures of IoT security, engineering challenges facing entrepreneurs, and a look at the IoT security researcher quandary. Details will be given about a new effort to help all parties involved proceed with the IoT in a safer, more successful manner. Whether you're a security researcher, software engineer, or product designer, this presentation will represent the thoughtful look at the state of IoT security we desperately need.

Securing the Internet of Things (Paul Fremantle)
This deck addresses a number of aspects of security for IoT devices and applications and also looks at using federated identity for IoT including MQTT.

Web Application Security
Putting Web Security Issues to REST (Adam Goodman)
This session will cover some common classes of mistakes in developing and using secure web APIs, and show how reinventing the wheel can sometimes be dangerous. Along the way, we'll cover problems with authentication and authorization, information leakage, and (im)proper uses of transport-layer security, among others.

Evolution of Web Security (Chris Shiflett)
An overview of well-known exploitation methods (XSS, CSRF, etc.) combined with insight into how web technologies can be defeated. Discussion of some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience will also be provided.

Web App Security - OWASP Top 10 2013 (Driss Amri)
A quick overview about the OWASP Top 10 (2013 Edition) including examples of how many of the threats work and what to do about them.

Mobile Application Security
Common Security Pitfalls in Android Applications (Aditya Gupta)
Identifying common failures of security when building Android applications. Content includes discussion on information leakage, insecure data storage, WebView security, SQL injection, and more.

Secure Development On iOS (David Thiel)
Advice for developers and penetration testers across functional areas of iOS security including Objective-C basics, security-related APIs, UDIDs, and common attack scenarios.

Technical Guidance and Standards Documents
Internet of Things
Security Guidance for Early Adopters of the Internet of Things
This document provides guidance for the secure implementation of Internet of Things-based systems. We have provided the guidance in this document to aid implementers of the IoT in deploying and using IoT in a secure manner. Traditional enterprise security solutions do not sufficiently address the security needs of the IoT as the IoT introduces new challenges.

An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond
This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle.

Careful Connections: Building Security in the Internet of Things
Businesses and law enforcers have a shared interest in ensuring that consumers’ expectations about the security of these new products are met. Like any other industry in its infancy, the Internet of Things must prove itself worthy of consumer confidence. Is your company taking reasonable steps to protect consumers’ devices from hackers, snoops, and thieves?

OWASP Internet of Things Top Ten Project
The OWASP Internet of Things (IoT) Top 10 is a project designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

Cloud Security
Amazon Web Services, Security Best Practices
This white paper provides security best practices that will help you define your Information Security Management System (ISMS) and build a set of security policies and processes for your organization so you can protect your data and assets in the AWS Cloud.

Network Security
SSL/TLS Deployment Best Practices
Our aim here is to provide clear and concise instructions to help overworked administrators and programmers spend the minimum time possible to deploy a secure site or web application. In pursuit of clarity, we sacrifice completeness, foregoing certain advanced topics.

Serial Hook-ups: A Comparative Usability Study of Secure Device Pairing Methods
In this paper, we present results of the first comprehensive and comparative study of eleven notable secure device pairing methods. We present overall results and identify problematic methods for certain classes of users as well as methods best-suited for various device configurations.

Mobile Application Security
Mobile Application Integrity Protection Handbook
Provides key insights from security experts on a new generation of mobile attacks as well as risk mitigation strategies to support secure mobile app development and defend against integrity risks and attacks.

Best Practices for Android Security
Android has security features built into the operating system that significantly reduce the frequency and impact of application security issues. Following these practices as general coding habits will reduce the likelihood of inadvertently introducing security issues that adversely affect your users.

iOS Security Guide
This document provides details about how security technology and features are implemented within the iOS platform. It will also help organizations combine iOS platform security technology and features with their own policies and procedures to meet their specific security needs.

Security Guidance for Critical Areas of Focus in Cloud Computing
This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

Operating System Security
NixOS: A Purely Functional Linux Distribution
In this paper we show that we can overcome these problems by moving to a purely functional system configuration model. We have implemented this model in NixOS, a non-trivial Linux distribution that uses the Nix package manager to build the entire system configuration from a purely functional specification.

Unikernels: Library Operating Systems for the Cloud
We present unikernels, a new approach to deploying cloud services via applications written in high-level source code. Unikernels are single-purpose appliances that are compile-time specialised into standalone kernels, and sealed against modification when deployed to a cloud platform.

Industry Standards
ISO/IEC 30111:2013
Guidelines for how to process and resolve potential vulnerability information in a product or online service. Applicable to vendors involved in handling vulnerabilities.

ISO/IEC 29147:2014
Guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure.

Strategic Partners & Supporters

Duo Security
Postscapes
OWASP IoT
I am the Cavalry
0patch
Center for REALTOR Technology

Let's Do This Together... Get Involved!

We're just getting started and are still looking for vendors, researchers, content creators, and partners to get involved with our effort to enhance security for the "Internet of Things". BuildItSecure.ly wants to grow slowly to ensure we build upon a strong basis that will benefit both vendors and security researchers.
Vendors
If you're a small vendor creating an IoT platform or product, we'd love to discuss more about our vision and how we might be able to help your team go to market your technology. If security is a top concern but you don't have the cash to pay consultants, we might be able to help.

Researchers
Do you value coordinated disclosure and want to help vendors learn to be better at information security? Have a professional background in embedded, mobile, and/or network security? Reach out and we can determine if you're the right fit for the goals of our effort.
Content Contributors
Making security easy to understand is a key piece of education. If you have graphic design skills and a knack for information security, we'd love to discuss what you may be able to provide for content that will increase the value of the site for visitors. We're not just here to curate content, we're also here to create it.

Partners & Supporters
We can't do this alone and need organizations who want to help make this initiative succeed. Whether you can help with public relations, get our participants access to conference speaking opportunities, or help us make the initiative succeed in a way we haven't thought of yet, we'd love to talk.