The road towards better automotive cybersecurity

The road towards better automotive cybersecurity

May 27, 2015

Rogue Wave Accelerate Series Part 1 of 3

2

Jeff Hildreth, Automotive Account Manager

Rogue Wave Software

Presenter

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Agenda

• We’re all saying the same thing

• Wrangling order from chaos

• A holistic approach to cybersecurity

• Take action!

• Q&A

3© 2015 Rogue Wave Software, Inc. All Rights Reserved

Poll #1

We’re all saying the same thing

5© 2015 Rogue Wave Software, Inc. All Rights Reserved

6© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

“We all clearly created these presentations in a vacuum because we’re all using the same material.”

IQPC Automotive Cyber Security Summit, two months ago

Develop a specific strategy that fits into what we’re already doing

Be different

You have the tools already


Wrangling order from chaosLook at the data you’re already faced with:

1000s of bugs

How do you handle this information overload?

HIL failure cases

Customer defects

Avg. number of security

risks:

22.4

Safety requirement

s


Security information overload

NewsBlogs, social media

conferences

Security standardsOWASP, CWE, CERT, etc.Senator Markey report

NVD, White Hat, Black Hat OEMs, internal

Media More and more software running inside your carStandards and legislation

Research Requirements

Developers don’t know security

(80% failed security knowledge survey)

Poll #2

A holistic approach to cybersecurity

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10

Threat Model

Internal Threat Metric

External Data Action

Information overload Develop an adaptive threat model


Threat model

Scanning to discover openThreat modelling identifies, quantifies, and

addresses security risks by:

1. Understanding the application & environment

2. Identifying & prioritizing threats3. Determining mitigation actions

Identify Assets

System Overvie

w

Decompose Applicatio

nIdentify Threats

Prioritize Threats

12

External data sources


Standards• Common Weakness

Enumeration (MITRE)• Open Web Application

Security Project (OWASP)

• CERT (Carnegie Mellon University)

National Governing Bodies

CVE database National Vulnerability

Database

OEM RFP requirements

ResearchWhite Hat/Black Hat

University studies

Media

Development Team

Poll #3

14

Internal metrics


Testing

Automated unit testsHardware in the Loop (HIL) testing

Security Team

Penetration tests

Open source scanning

Software Tools

Static Code Analysis (SCA)

Compiler warnings

Requirements

Development Team

15

Developing a Threat Metric


Build score• Automated and functional testing gives you a pass/fail metric on

every run of the test suite• A metric can be generated from penetration testing based on the

number of exploitable paths in your code base• Software tools give you a count of critical static analysis and

compiler warnings • A metric can be developed based on the presence of snippets of

open source code previously undetected or open source with new known vulnerabilities

• All of these metrics can be generated on every build of your software

AcceptSprint 1

Sprint 2

Sprint n Release

ChangeAdjust and Track

FeedbackReview

Next Iteration

No!

Yes!

Release to

Market

Integrate and Test

Integrate and TestIntegrate

and Test

Agile development: Integrated security

Characteristics• Multiple testing

points• Rapid feedback

required• “Outside”

testing does not meet agile needs

16© 2015 Rogue Wave Software, Inc. All Rights Reserved.

17

Standards

Governing bodies OEM RFP requirements

Research

Media Continuous metric updates


Testing

Pen tests OSS scanning

Software tools

Requirements

Development Team

18

Example: ECU


Front ADAS Gateway Infotainment

Rear distribution

amplifier

Camera

RadarX by wire

Telematics

Power train

Camera

Radar

19

Static code analysis (SCA)


Static code analysis

Traditionally used to find simple, annoying bugs

Modern, state-of-the-art SCA:

Sophisticated inter-procedural control and

data-flow analysis

Model-based simulation of runtime

expectation

Provides an automated view of all

possible execution paths

Find complex bugs and runtime errors, such as

memory leaks, concurrency violations,

buffer overflows

Check compliance with internationally

recognized standards:

MISRACWE

OWASPISO2626

2

20

Static code analysis


Keep your metric up to date• Standards: rely on your static code analysis vendor to provide

updates to the latest security standards • Research: rely on your vendor to develop custom rules based

on research shared by security analysts • OEM requirements: prove that standards have been enforced

21

Take action


Check code faster• Issues identified at your desktop

– Correct code before check-in– All areas impacted by a given

defect are highlighted– After system build, the impact of

other developers’ code is also delivered to the desktop for corrective action

• Create custom checkers to meet specific needs

• Debugger-like call-stack highlights the cause of the issues

• Context-sensitive help provides industry best-practices and explanations

50% of defects

introduced here

Build Analysis

/ Test

22

Open source scanning


Keep your metric up to date• Deploy a governance and provisioning platform to white

list/black list open source packages • Be informed when new vulnerabilities are published through the

National Vulnerability Database • Know what’s in your source code by scanning for snippets that

have been copied and pasted

23

Measuring open source risks


• Know your inventory with OSS scanning– Automated, repeatable way to locate OSS packages (and

packages within packages!) and licensing obligations– Look for scanning tools that:

• are SaaS – easier to set up and maintain• Protect your IP by not requiring source code upload

• Maintain OSS support– Get notified of latest patches, risks, bugs

• Establish an OSS policy to minimize risk– Use only trusted packages– Notify and update security fixes

24

Scan results example



Conclusions

The application security world is fluid

Create concrete, actionable strategies

(Threat Metric, analysis & scanning)

Delivery cycles are short Update regularly with well-

defined process(Agile, CI)

See us in action:

www.roguewave.com

Jeff Hildreth | [email protected]