TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

Similar documents
Car Cybersecurity: What do the automakers really think? 2015 Survey of Automakers and Suppliers Conducted by Ponemon Institute

Enhance visibility into and control over software projects IBM Rational change and release management software

Secure software updates for ITS communications devices

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Static Analysis Best Practices

Creating Competitive Advantage: The role for ALM in the PLM world

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

Advanced Testing Methods for Automotive Software

The relevance of cyber-security to functional safety of connected and automated vehicles

Capitalizing on The Internet of Things

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Application Security in the Software Development Lifecycle

Cisco Advanced Malware Protection for Endpoints

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Centralized Secure Vault with Serena Dimensions CM

Submitted at:

Adopting Agile Testing

Continuous integration End of the big bang integration era

A Channel Company White Paper. Online Security. Beyond Malware and Antivirus. Brought to You By:

QUICK GUIDE. How to Select an Effective Mobile Workforce Management Solution. How to Select an Effective Mobile Workforce Management Solution

Systems Engineering: Development of Mechatronics and Software Need to be Integrated Closely

Development Testing for Agile Environments

Productivity Through Open Source Policy Compliance

Software: Driving Innovation for Engineered Products. Page

ALM/Quality Center. Software

An Overview of NHTSA s Electronics Reliability and Cybersecurity Research Programs Paper ID Abstract

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Control your corner of the cloud.

Effective Software Verification for Medical Devices

Satisfying ASIL Requirements with Parasoft C++test Achieving Functional Safety in the Automotive Industry

NEC Managed Security Services

GENIVI FAQ. What is the GENIVI Alliance?

How To Understand The Power Of The Internet Of Things

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

SECURE AND MANAGE YOUR MOBILE FLEET Freedome for Business

Key Benefits of Microsoft Visual Studio Team System

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Smarter Balanced Assessment Consortium. Recommendation

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Augmented Search for Software Testing

Quality Programs for Regulatory Compliance

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments

How To Protect Your Network From Attack From A Network Security Threat

Security in the smart grid

Securing the Microsoft Cloud

SAFECode Security Development Lifecycle (SDL)

Safeguarding Company IT Assets through Vulnerability Management

SECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING

Managing Vulnerabilities For PCI Compliance

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

Information Security Services

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Modern SOA Testing. A Practitioners Guide to. July 2011

BUSINESS GUIDE SECURING YOUR SOFTWARE FOR THE MOBILE APPLICATION MARKET THE LATEST CODE SIGNING TECHNOLOGY

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Energy, Oil and Gas WHAT COULD YOU DO WITH WIRELESS? Fleet Productivity and Management

PEMS Conference. Acquiring Data from In-Vehicle Networks. Rick Walter, P.E. HEM Data Corporation

What is Application Lifecycle Management? At lower costs Get a 30% return on investment guaranteed and save 15% on development costs

The Internet of Things: 4 security dimensions of smart devices

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

SECURITY: THE KEY TO AFFORDABLE UNMANNED AIRCRAFT SYSTEMS. By Alex Wilson, Director of Business Development, Aerospace and Defense

HP Fortify Software Security Center

Software: Driving Innovation for Engineered Products

GETTING STARTED WITH ANDROID DEVELOPMENT FOR EMBEDDED SYSTEMS

Digital Business Services Topic Area Theaters May 17-19, 2016 Orlando, FL

Datacenter Hosting - The Best Form of Protection

Enterprise Security Tactical Plan

Is Your Identity Management Program Protecting Your Federal Systems?

Cisco Advanced Malware Protection

JBoss. choice without compromise

Best Practices for Network Monitoring

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

STATIC CODE ANALYSIS IN AN AGILE WORLD. Establishing a repeatable process to achieve working software with each iteration

Guidance on the Use of Portable Storage Devices 1

The research area of SET group is software engineering, and model-based software engineering in particular:

ecommerce and Retail Rainforest QA enables ecommerce companies to test highly visual user interfaces and customer experience and flow.

WHITE PAPER. Five Steps to Better Application Monitoring and Troubleshooting

Who, What, Where, How: Five Big Questions in Mobile Security

Closing Wireless Loopholes for PCI Compliance and Security

Solutions for Quality Management in a Agile and Mobile World

Does the Federal government require them? No, the Federal government does not require manufacturers to install EDRs.

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

A Strategic Approach to Web Application Security

Coverity White Paper. Managing Risk: Ensure Software Quality and Security Across the Automotive Supply Chain

How Nokia deployed AirWatch MDM for Nokia Lumia

Minimizing code defects to improve software quality and lower development costs.

Computing Infrastructure Risk

Effective Software Security Management

DevOps: Development Challenges and New Approaches

In-Flight Mechanics A Software Package Management Conversion Project

Mobility. Mobility is a major force. It s changing human culture and business on a global scale. And it s nowhere near achieving its full potential.

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Choosing the Right ERP Solution:

Transcription:

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT Go beyond error detection to ensure safety and security

TABLE OF CONTENTS The Three Biggest Challenges...4 Ensure compliance with safety norms and standards...5 Meet security requirements...5 Reduce defects in complex high-risk embedded code...5 Embedded Development Is Different...6 Conclusion...6 2

Developing in-vehicle embedded applications is a safety, security, and quality challenge. Given that cars and trucks are increasingly connected to each other and to the devices around them, it s becoming harder and harder to ensure that software is functional and free from risk. Development teams, especially the managers who are ultimately responsible, face incredible challenges when building such applications, and are learning that team members need to do more than just catch code defects during verification and validation testing. The new imperative: Identify and address security and compliance concerns earlier in the lifecycle, all while delivering innovative and differentiating features. 3

It s getting harder to write in-vehicle embedded software, given today s interconnected world. Like all software development teams, automotive software development teams must focus on being innovative, meeting product requirements, and delivering on time and within budget. Unlike other software development teams, automotive teams also have to keep customers safe from harm and ensure that defects never put their companies in news headlines. Vehicles are becoming more complicated, with an ever-increasing number of microprocessors and networks controlling telematics systems, safety features like blind-spot sensors and night-time pedestrian alerts, and even self-parking systems and adaptive airbags. What s more, connectivity encompasses features such as cellular-based accident reporting systems and Bluetooth-enabled video screens. The list of computerized functions in newer cars would be longer than this paper and that doesn t include smartphone apps or accessories like Global Positioning Systems or diagnostic devices. Development teams creating software for embedded automotive systems need to ensure that their applications are defect-free; that s a given, whether it s the control system for Dynamic Stability Control, tire-pressure monitoring code, or the built-in Pandora radio app. But defect-free is not enough. Members of the team, including programmers and testers, need to have visibility into the code, and may not know exactly what s happening during normal run-time, exception, and error-handling. Development tools should help teams create in-vehicle code that is safe and secure during the programming cycle, as well as validate that safety and security during testing. The tools should also help the team write code that is fully compliant with automotive industry requirements and best practices for all safety critical applications. Compliance, safety, and security requirements may not be familiar to new development teams moving into the embedded software field or to experienced embedded teams who aren t used to today s hypercomplex interconnected systems. Modern software tools should actively assist throughout every step of the development lifecycle, from coding to testing, and from regular defect reports to mandated compliance audits. At the same time, tools should enhance the team s productivity, using domain knowledge to get the job done faster, with smart automation and context-aware functionality, as well as traceability to help isolate any problems that may occur. Why is this necessary? Because, frankly, automotive and other such systems are increasingly complex, and complexity can lead to vulnerability and risk. Consider news out of Black Hat USA 2014, where security experts demonstrated their ability to penetrate vehicle networks. Chris Valasek, director of vehicle security research at IOActive, discussed the remote connectivity capabilities in vulnerable 2014 and 2015 car and SUV models: They have cellular communications, Bluetooth communications, regular radio communications. They have an Internet app for your phone, and an app for your car. And there s a lot of cyberphysical features. The car can brake itself. There s power-assisted steering. Things like that. With modern, advanced tools, defects and compliance issues can be detected early and remediated quickly. Without such tools, developers must learn all of the industry requirements and ensure that they are coding to meet those requirements. Some defects and issues may be caught during compilation, a debug cycle, or even during manual code reviews. There is always the risk, however, that defects and compliance issues will evade detection until late in the cycle or perhaps slip past quality-assurance efforts and be deployed into production systems. THE THREE BIGGEST CHALLENGES For years, automotive software teams have relied on manual testing or test tools to catch coding defects and identify issues that would affect safety and compliance. If such issues can be uncovered sooner and more effectively, development 4

teams can accelerate the software delivery process, and also reduce risk, reduce cost, and ship safer, more secure code. The following are some of the biggest issues that, while not unique to in-vehicle systems, are certainly exacerbated by today s complexity and connectivity trends: 1. Ensure compliance with safety norms and standards. Numerous organizations around the world issue safety standards for embedded software, and many of those apply to the automotive world. For example, MISRA, formerly known as the Motor Industry Software Reliability Association, has its own dialect of the C programming language called MISRA C which is periodically updated to ensure the safety of code written in that language. A recent update addressed hazards in the mainline C99 language that automotive and other safety-critical development teams should avoid. Other organizations that offer guidance and rules for safety-critical applications include the Institute of Electrical and Electronics Engineers (IEEE), the International Organization for Standardization, and the U.S. Department of Transportation. In most cases, software written by automotive development teams must comply with the latest versions of many safety specifications. Modern tools should help development teams comply with safety norms by suggesting coding best practices, flagging questionable code, and revealing concerns during code-checking and the testing portions of the lifecycle in other words, as early as possible. 2. Meet security requirements. Similarly to the safety norms and standards, many organizations offer guidance and requirements for ensuring that automotive and other critical embedded code is kept secure. The threats aren t only those seen in the movies, where a person with a smartphone takes control of someone s car they also involve ensuring that cars stay locked, wireless keys can t be bypassed, Bluetooth communications can t be monitored, and critical vehicle software can t be maliciously modified in any way. Even data flowing within a vehicle s own network often must be encrypted, and the network must be hardened against attack. Standards and security bodies that offer guidance and issuing requirements for embedded code security include the IEEE, the U.S. National Highway Transportation Safety Administration (NHTSA), the Common Weakness Enumeration from The MITRE Corp., the Open Web Application Security Project, and SAE International. To use one example, in 2011 the NHTSA launched an initiative called the Cyber Security and Safety of Motor Vehicles Equipped with Electronic Control Systems. A modern tool set for automotive developers can provide visibility into the applications, through source code analysis, simulation, and tracing during runtime. Reports and audits can help ensure that the code is, well, up to code. Simulation lets developers and QA teams see how the software will run, even if the hardware is not yet ready. Tracing provides logs and analysis that follow the source code and binary code as executed by the (real or simulated) microprocessor, so that hard-to-fix defects can be tied back to their root causes. 3. Reduce defects in complex high-risk embedded code. While automotive and in-vehicle systems have their own specific requirements for safety and security, they still must comply with the quality requirements for all embedded code. Memory leaks, untrapped exceptions, unchecked stacks and buffers, misplaced pointers, problems with array indexes, and errors in error handlers are all problems that can be caused by any number of factors. 5

While most programming errors can be caught during manual code review in a testing phase, this consumes valuable time and pushes error detection to potentially days or weeks after the code was written. It s more effective and also more educational for the development team to catch the bugs right in their Integrated Development Environment (IDE, also known as a code editor), or when code is checked into the source code repository. Development and test tools help by flagging defects early in the lifecycle right as individual programmers are typing, if possible; if not, as soon as possible thereafter. Bugs caught early can be remediated early, keeping the project on track and reducing the possibility that the bugs might evade detection later. EMBEDDED DEVELOPMENT IS DIFFERENT Software teams in the non-embedded enterprise world such as those writing websites, database applications, or even mobile phone apps have considerable experience with IDEs and other tools that detect bugs, security, safety, and compliance issues early, such as while coding or when checking source code into a repository. Traditionally, such functionality has not been as common in the embedded software world. Experienced embedded development teams may not be familiar with those tools; non-embedded teams beginning work in the automotive space may not realize that their tools don t offer that functionality. What s more, development teams coming from the enterprise world are not used to such rigid norms and specifications as those from groups like the NHTSA or MISRA. Outside the embedded world, security, safety, and compliance may not be life-threatening, and in many organizations, agile software processes allow for rapid code iterations where buggy code is deployed, and then the bugs are detected and remediated later in a future release. That s not how the embedded world works and we can all be grateful for that. Rogue Wave Software lives in both the embedded and enterprise development world, and has created the leading portfolio of tools to assist embedded development teams with safety, security, compliance, and error detection and prevention. CONCLUSION Security compliance, safety compliance, and defect reduction are huge goals, not only for meeting a product s technical requirements, costs, and deadlines, but also for keeping people safe. This has never been truer than with today s increasingly software-based cars and trucks, and with the increased threat profile due to radio-based interconnectivity and sophisticated in-vehicle apps. Rogue Wave Software s portfolio of embedded development solutions can help improve code quality, safety, and compliance throughout the development lifecycle, from architecture to coding, and testing to deployment. Visit www.roguewave.com. Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building great software and accelerates the value gained from code across the enterprise. Rogue Wave s portfolio of complementary, cross-platform tools helps developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code integrity, while shortening development cycle times. 2014 Rogue Wave Software, Inc. All Rights Reserved

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information