This is an excellent list from SANS documenting key security improvements for smart devices that fall under the umbrella for the Internet of Things (IoT) standards

This year shapes up to become the year that IoT exploits started to become “mainstream news.” Mirai, car hacking, and ubiquitous router exploits are now being discussed outside security conferences. One question that comes up from time to time is what a “minimum standard” could look like for IoT security. Today, default passwords and basic web application security flaws are the number one issue. But we all know that as one vulnerability is being patched, two more are discovered.┬áSo what should we ask our vendors?

1 – For how long, after I purchase a device, should I expect security updates? — If we know that the devices we buy today are vulnerable, then we should expect the vendor to deliver patches. There is always a chance that a vulnerability will not be software patchable.

2 – How will I learn about security updates? — I prefer some form of an e-mail message. At the very least, a web page that allows me to check what the latest firmware version is of a device.

3 – Can you share a pentest report for your device? — A pentest report may also tell me if you have some form of software security program.

4 – How can I report vulnerabilities? — But others will, and they need to be able to report these vulnerabilities. A bug bounty is great, but an easy to find web page with instructions on reporting vulnerabilities will do.

5 – If you use encryption, then disclose what algorithms you use and how it is implemented — I want to get some assurance that you considered encryption an important enough issue to document what you are doing and how you are implementing it.