Posts
Some write TSD, others write threat modeling manuals, but the guys from Pentest Partners…
July 31, 2025 at 8:08 PM•Max Knyazev is typing…Telegram mirror
Some write TSD, others write threat modeling manuals, but the guys from Pentest Partners have rolled out
guide
(
back in 2023
), which collected everything that anyone involved in the development of IoT devices should know. Not only a security specialist, but also a manager, an engineer, and an analyst. In essence, this is a complete plan for building a secure IoT device from scratch.
👍
The guide logically begins with threat modeling, and this, oddly enough, is the most important part. Because if at this stage you didn’t think that you would have BLE without authorization or that an attacker would plug a logger into the UART, you don’t have to read further. There are STRIDE, and DREAD, and risk matrices, and tips on how to live with them in real development
🤓
Then the authors carefully guide the reader through the entire development cycle: from choosing a microcontroller ( yes, they even mentioned fake STM32 ), to cloud CI/CD and storing secrets in Azure Key Vault. Special attention is paid to interfaces: Wi-Fi, BLE, USB, UART, JTAG - how they can be compromised, what to do about it, and when it’s better to abandon them altogether
🧐
I especially liked that there are no magical solutions in the guide in the spirit of “just use TLS and everything will be fine.” They write very honestly that TLS is not always suitable ( for example in the case of BLE ), and "Just Works" pairing is not about safety, but about laziness
🧠
And, of course, what’s captivating is that this is a guide with a bunch of practical examples, links, diagrams, and life stories. There's a lot to read and see there
🧐
Who will benefit from this? To everyone who has ever touched IoT projects. For developers who have a soldering iron and Visual Studio Code in their hands. Managers who want to avoid losing money after entering the market. Security guards, so as not to look for vulnerabilities in a device with all ports open
🤌
This is what is called a must read. Especially if you want to make not just “smart”, but also safe devices. It's like a checklist at the design stage. In capable hands, this thing saves time, nerves, and budget
💯
#internet_things
#information_security
Open original post on TelegramThe guide logically begins with threat modeling, and this, oddly enough, is the most important part. Because if at this stage you didn’t think that you would have BLE without authorization or that an attacker would plug a logger into the UART, you don’t have to read further. There are STRIDE, and DREAD, and risk matrices, and tips on how to live with them in real development
Then the authors carefully guide the reader through the entire development cycle: from choosing a microcontroller ( yes, they even mentioned fake STM32 ), to cloud CI/CD and storing secrets in Azure Key Vault. Special attention is paid to interfaces: Wi-Fi, BLE, USB, UART, JTAG - how they can be compromised, what to do about it, and when it’s better to abandon them altogether
I especially liked that there are no magical solutions in the guide in the spirit of “just use TLS and everything will be fine.” They write very honestly that TLS is not always suitable ( for example in the case of BLE ), and "Just Works" pairing is not about safety, but about laziness
And, of course, what’s captivating is that this is a guide with a bunch of practical examples, links, diagrams, and life stories. There's a lot to read and see there
Who will benefit from this? To everyone who has ever touched IoT projects. For developers who have a soldering iron and Visual Studio Code in their hands. Managers who want to avoid losing money after entering the market. Security guards, so as not to look for vulnerabilities in a device with all ports open
This is what is called a must read. Especially if you want to make not just “smart”, but also safe devices. It's like a checklist at the design stage. In capable hands, this thing saves time, nerves, and budget
#internet_things
#information_security
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.