Designing secure IoT systems for resource-constrained embedded systems is a challenge, not because of the limited resources available, but because security needs to be considered from an end-to-end perspective. This means planning for: - A secure boot and firmware update process - The secure flow of data through the system - How do I know the data is trustworthy and hasn't been tampered with? - How do I know that this comes from the device it claims to? - How can I limit visibility of sensitive data? - Reliable device authentication - Secret management - Secure connectivity to public/private cloud servers Embedded developers can no longer limit themselves to one specific silo, and need to have basic skills and an understanding of the entire end-to-end, boot-to-cloud and security landscape to make the right design choices to produce a minimally secure system. This presentation tries to lay down some of those key requirements and design choices, and makes suggestions about best practices to follow based on open source software and open standards. This includes generating device-bound, storage-free private keys and UUIDs, mutual TLS, how to encode and transmit data securely and reliably, and bootstrap and X.509 certificate management requirements.