Devices should update their own firmware upon a predefined schedule.
CIS Controls. 3.4 Deploy Automated Operating System Patch Management Tools: Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition: The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.
OWASP Top 10 A6:2017-Security Misconfiguration: Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
OWASP Top 10 A9:2017-Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.20): Verify that the firmware update process is not vulnerable to time-of-check vs time-of-use attacks.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.24): Verify that firmware can perform automatic firmware updates upon a predefined schedule.
OWASP-ASVS v4.0.1 V1.11 Business Logic Architectural Requirements.(1.11.3): Verify that all high-value business logic flows, including authentication, session management and access control, are thread safe and resistant to time-of-check and time-of-use race conditions.
OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.6): Verify the application does not suffer from "time of check to time of use" (TOCTOU) issues or other race conditions for sensitive operations.