The Constrained Application Protocol (CoAP) is a RESTful protocol that has many similarities to HTTP (as well as big differences). It is a lightweight protocol designed for Machine-to-Machine (M2M) communications within Internet of Things (IoT) applications, with a compact format suitable for constrained devices and lossy networks. It's used in IoT apps and devices, including smart lightbulbs, building automation systems, radiation detectors, and automobiles. It can be used to send and receive sensor updates, and it can also be used to push firmware updates to devices. CoAP is deployed in many ways, with different architectures changing the security boundaries and attack surface. Many implementations of the protocol interpret the RFCs in their own way, leading to some potentially unexpected or undesired behavior.

In this two-part series, we will cover the fundamentals of CoAP, popular technologies and frameworks, and security lessons for software engineers and security testers.