Regarding testing, recommendation [RC-10-12] states that component testing should be performed to confirm that unidentified weaknesses and vulnerabilities remaining in the component are minimized. Moreover, requirement [RQ-11-01] states that penetration testing can be used as a validation activity to demonstrate the appropriateness and achievement of cyber security goals. There are several test methods that can be applied to perform this type of testing, including vulnerability scanning, fuzz testing, and penetration testing.
Vulnerability scanning uses knowledge of known vulnerabilities or attack patterns to identify vulnerabilities in the target system. For example, software composition analysis tools, such as Black Duck®, can detect known vulnerabilities in OSS components in the target system. This automated scanning of source code or binaries identifies the open source components, their respective versions, and associated known vulnerabilities.
While vulnerability scanning tools typically use a database of known vulnerabilities or attack patterns, fuzz testing goes further to identify unknown vulnerabilities by generating malformed input that is then provided to the target system. Fuzz testing tools, such as Defensics®, can identify unknown vulnerabilities in various protocol implementations including CAN, CAN-FD, Automotive Ethernet, Wi-Fi, and Bluetooth, as well as in upper-layer protocols such as ISO-TP, UDS, DoIP, gPTP, IP, TCP, HFP, A2DP, and more.
Vulnerability scanning and fuzz testing can be performed using automated tools. Conversely, penetration testing typically involves manual activities to try to break certain security goals of the target system.
Organizations also need to continuously monitor for new threats and vulnerabilities both during development and after the product has been released. Requirement [RQ-08-01] states that internal and external sources can be monitored to collect cyber security information. Software composition analysis tools like Black Duck can provide alerts on newly identified vulnerabilities in OSS components as part of ongoing cyber security activities.