Our Goals for the "Internet of Things"

FOCUS effort towards crowd-funded, small commercial and bootstrapped vendors
BUILD partnerships and goodwill between IoT vendors and the security community
COORDINATE efforts to incentivize security researchers for reporting vulnerabilities
CURATE informational resources to help educate vendors on security best practices
PRESENT research at relevant events and be a point of contact for press inquiries

Vendors Participating With BuildItSecure.ly


Pinoccio is a complete toolkit for building the Internet of Things. Makers, Software Developers, and Product Designers can use the tiny microcontroller to quickly prototype ideas. It has mesh networking and wireless web connectivity baked right in. Pair that with the REST API and web app, and you have an end-to-end system that works right out of the box.

Dropcam is a cloud-based video monitoring service with free live HD streaming, two-way talk and mobile apps that makes it easy to stay connected to places, people and pets, no matter where you are. Featuring automatic updates, stream sharing, location awareness and optional Cloud Recording, Dropcam has redefined home monitoring and do-it-yourself security.

We've Partnered With Bugcrowd!

Vendors of "Things"
Be connected with regarded security researchers
Gain crucial insight about your device's security
Coordinate the disclosure of bugs reported to you
Show consumers that you take security seriously
Participate for free and reward researchers who help
Security Researchers
Get access to pre-production hardware to assess
Work on fun and important security research projects
Have a direct path to work with vendors who care
Stop worrying about legal threats for doing research
Potentially receive rewards for the bugs you find

Featured Security Researchers

Mark Stanislav
Mark Stanislav
Duo Security
Zach Lanier
Zach Lanier
Duo Security
Stephan Chenette
Stephan Chenette
Cesar Cerrudo
Cesar Cerrudo
Andy Davis
Andy Davis
NCC Group
Stephen A. Ridley
Stephen A. Ridley

Building an IoT Device and Don't Know Where to Start?

Presentation Slide Decks
Internet of Things
The Internet of Things: We've Got to Chat (Mark Stanislav & Zach Lanier)
This presentation will examine some of the recent failures of IoT security, engineering challenges facing entrepreneurs, and a look at the IoT security researcher quandary. Details will be given about a new effort to help all parties involved proceed with the IoT in a safer, more successful manner. Whether you're a security researcher, software engineer, or product designer, this presentation will represent the thoughtful look at the state of IoT security we desperately need.

Securing the Internet of Things (Paul Fremantle)
This deck addresses a number of aspects of security for IoT devices and applications and also looks at using federated identity for IoT including MQTT.

Web Application Security
Putting Web Security Issues to REST (Adam Goodman)
This session will cover some common classes of mistakes in developing and using secure web APIs, and show how reinventing the wheel can sometimes be dangerous. Along the way, we'll cover problems with authentication and authorization, information leakage, and (im)proper uses of transport-layer security, among others.

Evolution of Web Security (Chris Shiflett)
An overview of well-known exploitation methods (XSS, CSRF, etc.) combined with insight into how web technologies can be defeated. Discussion of some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience will also be provided.

Web App Security - OWASP Top 10 2013 (Driss Amri)
A quick overview about the OWASP Top 10 (2013 Edition) including examples of how many of the threats work and what to do about them.

Mobile Application Security
Common Security Pitfalls in Android Applications (Aditya Gupta)
Identifying common failures of security when building Android applications. Content includes discussion on information leakage, insecure data storage, WebView security, SQL injection, and more.

Secure Development On iOS (David Thiel)
Advice for developers and penetration testers across functional areas of iOS security including Objective-C basics, security-related APIs, UDIDs, and common attack scenarios.

Technical Guidance and Standards Documents
Internet of Things
An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond
This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle.

Cloud Security
Amazon Web Services, Security Best Practices
This white paper provides security best practices that will help you define your Information Security Management System (ISMS) and build a set of security policies and processes for your organization so you can protect your data and assets in the AWS Cloud.

Network Security
SSL/TLS Deployment Best Practices
Our aim here is to provide clear and concise instructions to help overworked administrators and programmers spend the minimum time possible to deploy a secure site or web application. In pursuit of clarity, we sacrifice completeness, foregoing certain advanced topics.

Let’s Encrypt Available at SiteGround
SiteGround web hosting is one of the first major hosts to offer Let’s Encrypt SSL certificates to their customers. Let's Encrypt is a free, automated, and open certificate authority (CA) that issues domain-validated security certificates.

Mobile Application Security
Mobile Application Integrity Protection Handbook
Provides key insights from security experts on a new generation of mobile attacks as well as risk mitigation strategies to support secure mobile app development and defend against integrity risks and attacks.

Best Practices for Android Security
Android has security features built into the operating system that significantly reduce the frequency and impact of application security issues. Following these practices as general coding habits will reduce the likelihood of inadvertently introducing security issues that adversely affect your users.

iOS Security Guide
This document provides details about how security technology and features are implemented within the iOS platform. It will also help organizations combine iOS platform security technology and features with their own policies and procedures to meet their specific security needs.

Security Guidance for Critical Areas of Focus in Cloud Computing
This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

Industry Standards
ISO/IEC 30111:2013
Guidelines for how to process and resolve potential vulnerability information in a product or online service. Applicable to vendors involved in handling vulnerabilities.

ISO/IEC 29147:2014
Guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure.

Strategic Partners & Supporters

Duo Security
I am the Cavalry

NCC Group

Let's Do This Together... Get Involved!

We're just getting started and are still looking for vendors, researchers, content creators, and partners to get involved with our effort to enhance security for the "Internet of Things". BuildItSecure.ly wants to grow slowly to ensure we build upon a strong basis that will benefit both vendors and security researchers.
If you're a small vendor creating an IoT platform or product, we'd love to discuss more about our vision and how we might be able to help your team go to market your technology. If security is a top concern but you don't have the cash to pay consultants, we might be able to help.

Do you value coordinated disclosure and want to help vendors learn to be better at information security? Have a professional background in embedded, mobile, and/or network security? Reach out and we can determine if you're the right fit for the goals of our effort.
Content Contributors
Making security easy to understand is a key piece of education. If you have graphic design skills and a knack for information security, we'd love to discuss what you may be able to provide for content that will increase the value of the site for visitors. We're not just here to curate content, we're also here to create it.

Partners & Supporters
We can't do this alone and need organizations who want to help make this initiative succeed. Whether you can help with public relations, get our participants access to conference speaking opportunities, or help us make the initiative succeed in a way we haven't thought of yet, we'd love to talk.