In this talk I will present research regarding security of development process, presenting and motivating best practises for developers.
Since plenty of IoT server projects are onboarded recently both at the eclipse foundation and and the apache software foundation, it might be valid to check on best practises on these projects.
I will present tools - among others - to assert the secure handling of dependencies, or to discover dependencies with known vulnerabilities.
These tools were used to look into various IoT projects and selective results will be shown: surprisingly ineffective ways to verify authenticity of artefacts, usage of outdated dependencies and prominent, but not-state-of-that-art-secured repositories.
I will demo an live-attack to an IoT project developer and present some observations while working with communities to fix the issues found.