Posted by Mark Van Elderen on May 27, 2016
This week Synopsys presented to automakers gathered in Detroit at a summit on embedded software integrity.
The Embedded Software Integrity for Automotive Summit convened at a small hotel in Dearborn, Michigan – a city located just outside of Detroit and known by many in the automotive industry as the home of the Ford Motor Company headquarters and its founder, Henry Ford. The venue was quiet and list of delegates was short, but behind closed doors automotive experts discussed the bumpy road that lies ahead of one of the largest industries in the world.
Over the past year, in-vehicle software malfunctions, emissions system tampering, and widely publicized car hacks have demonstrated there is a lot more going on under the hood of a modern vehicle than a series of combustions, and the automotive industry hasn’t exactly figured it all out yet. Challenged by the explosion of software infiltrating modern vehicles, the trend of connectivity as a feature, and the imminence of autonomous driving, the automotive industry now faces the daunting task of ensuring the integrity of road vehicles, not just from a mechanical and functional safety perspective, but on the digital and cybersecurity front as well.
Conference delegates from OEMs, suppliers, and regulators with responsibilities ranging from software development and testing testing and verification and validation (v&v) came together to discuss trends, challenges, best practices, and industry standards. Speakers from General Motors, Volkswagen, Fiat Chrysler, and Mercedes Benz, as well as academics from the University of Michigan and the University of Virginia delivered insightful presentations.
From the intricacies of the V-Model software development process to the distinction between verification and validation, it all of it boiled down to a single theme – how can an industry, whose end product is a two-ton computer on wheels, improve the process by which software is developed and tested to ensure consumer security, privacy, and safety.
In a presentation titled, “Where the Rubber Meets the Road: Building Security into the SDLC of Connected Vehicle Technology,” Synopsys’ Dean Starr talked about the developer-friendly software quality and security testing tools that have been leveraged by other industries for years. Dean emphasized the importance of “shifting left” – or empowering developers to address quality, security, and safety issues early in the development process through education and access to the appropriate tools.
In another presentation, Mike Ahmadi, Synopsys’ global director of critical systems security and his SAE colleague Bill Mazzara talked about the need for new standards that go beyond functional safety in software development to specifically address cyber threats. They highlighted an important distinction between functional safety and cybersecurity, the latter being in “infinite space problem” that must be addressed with a fundamentally different approach. They went on to discuss the work that SAE is doing through the newly formed Cybersecurity Assurance Testing Task Force. The standards group comprised of OEMs, Tier 1 suppliers, and security experts is developing a common set of requirements that can be adopted throughout the extended supply chain to mitigate safety and security risk in automotive software.
The consensus emanating throughout the entire delegation was that getting everyone on the same page is an important step forward in the road to automotive software integrity. It was encouraging to observe the collaboration between competitors, suppliers, and regulators laying the groundwork for what is sure to be an ongoing, iterative process. The industry isn’t doomed, but it certainly needs to adapt by shifting its focus to the underlying software ushering in a new wave of possibilities.
Get the latest AppSec news and trends sent directly to you.