The emerging Internet of Things (IoT) devices introduced many useful applications that are utilized in our daily lives, scientific research, and military operations. In these applications, secure over the air programming of IoT devices is vital as the devices can be re-programmed by hackers and the firmware can be stolen by eavesdropping a live firmware distribution operation. Nonetheless, as most of the IoT devices have limited computational resources (e.g., memory, CPU, storage), over-the-air programming of IoT devices necessitates efficient utilization of the resources. In this work, to address these concerns and provide a more efficient and secure code-dissemination process, a novel secure over-the-air programming framework called SOTA is introduced, which is also designed as an open-source framework and available for the research and developer communities. SOTA provides confidentiality, integrity, and authentication to resource-limited IoT devices in order to protect the firmware from adversaries. Furthermore, we perform extensive performance evaluations on real resource-limited IoT devices with Atmel-based microcontrollers. Evaluations revealed that SOTA has minimal performance and memory overhead on the IoT devices. SOTA is a promising solution to provide an over-the-air code dissemination protocol with security to resource-limited IoT devices in both military and civilian settings.