This should probably done on a per port basis right? Authentication schemes for validating an endpoint for HTTPS and MQTT are pretty mature. Banning all other port connections for IoT devices and requiring the device to validate it's endpoints using a PKI mechanism seems pretty reasonable to achieve the security classification without making an unreasonable ask on businesses. Devices that would have to connect to arbitrary endpoints kind of fall outside of IoT in my opinion. Further guidelines could be put out for other ports and protocols, but those two would probably cover the vast majority of IoT use cases.
I guess the only issue is the concern that if a vulnerability is discovered, the device could be made to make requests to another endpoint. Perhaps it would make more sense for endpoints to be hard coded if you don't want to have to provide OTA updates? That could be more secure in the long run for a lot of applications than having a mechanism that allows you to remotely overwrite firmware.
I guess the only issue is the concern that if a vulnerability is discovered, the device could be made to make requests to another endpoint. Perhaps it would make more sense for endpoints to be hard coded if you don't want to have to provide OTA updates? That could be more secure in the long run for a lot of applications than having a mechanism that allows you to remotely overwrite firmware.