According to Robert Charette, as summarized on the QSM blog, “The first production car to incorporate embedded software was the 1977 General Motors Oldsmobile Toronado which had an electronic control unit (ECU) that managed electronic spark timing. By 1981, GM had deployed about 50,000 lines of engine control software code across their entire domestic passenger car line.”
Joe Madden at QSM notes that cars “cars now depend on millions of lines of code running up to 100 networked ECUs … which control and monitor everything from the powertrain” to safety systems such as airbags and braking.
Statista projects that by 2021, connected vehicles will make up more than one-third of all vehicles on the road.
Cyber security best practices for modern vehicles
While connected cars offer abundant opportunities for consumers, automakers and their suppliers need to consider what the connected car means for consumer privacy and security. As more connected vehicles hit the roads, software vulnerabilities become accessible to malicious hackers using cellular networks, Wi-Fi, and hardline connections to exploit them.
The potential for hackers to gain unauthorized remote access to the vehicle network and compromise critical safety systems puts at risk not just users’ personal information but their physical safety as well.
As noted on TechSpective, “Vehicle manufacturers need to adopt a cybersecurity approach that addresses not only obvious exposures in their car’s software, but also the hidden vulnerabilities that could be introduced by open source [or third-party] components in that software.”
How effective is the auto industry at addressing the software security risks in connected vehicles?
When security researchers demonstrated that they could hack a Jeep over the Internet to hijack its brakes and transmission, it posed a security risk serious enough that Chrysler recalled 1.4 million vehicles to fix the bug that enabled the attack.
SAST, also known as white box testing, scans an application before the code is compiled.
Since it doesn’t require an application to be run or code to be executed, SAST can take place early in the software development life cycle (SDLC). SAST helps developers identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or passing on vulnerabilities to the final release of the application.
IAST for automotive cyber security
Interactive application security testing (IAST) solutions help automotive organizations identify and manage security risks associated with vulnerabilities discovered in running applications using dynamic testing (often referred to as runtime testing) techniques. Some IAST solutions integrate software composition analysis (SCA) tools to address known vulnerabilities in open source components and frameworks.
IAST generally takes place during the test/QA stage of the software development life cycle (SDLC). IAST effectively shifts testing left, so problems are caught earlier in the development cycle, reducing remediation costs and delays. Many IAST tools can be integrated into continuous integration (CI) and continuous development (CD) tools. The latest generation of IAST tools return results as soon as changed code is recompiled and the running app retested, helping developers identify vulnerabilities even earlier in the development process.
SCA for automotive cyber security
With the growth in open source use, especially by third-party vendors, auto manufacturers need to ensure that software composition analysis (SCA) is part of their application security toolbelt. Code audits consistently show open source components composing as much as 25% of any given automotive application. As Forrester Research noted in a 2017 report, “Unfortunately, many of these [open source] components come with liabilities in their license agreements, and one out of every 16 open source download requests is for a component with a known vulnerability.”
With the addition of an SCA solution, automotive organizations can effectively identify the use of open source in their code, whether it comes from internal development teams or from external suppliers; detect vulnerabilities in open source components; and manage whatever license compliance their use of open source may require.
Managing and securing open source software in the automotive industry
Effective management of code risk is becoming increasingly important to the automotive industry. As pointed out on TechSpective, “By integrating … processes and automated solutions into their software supply chain, automakers, suppliers, and technology companies servicing the automotive industry can maximize the benefits of [the software their vehicles use] while effectively managing their risks.”
As noted on Information Age, “Just as lean manufacturing and ISO-9000 practices brought both greater agility and quality to the automotive industry, visibility and control will be essential to maintaining the security and code quality of automotive software applications and platforms.” A rigorous approach to cyber security is vital to achieve the full range of benefits new automotive technologies promise while preserving top quality and rapid time to market.