the road towards better automotive cybersecurity
TRANSCRIPT
The road towards better automotive cybersecurity
May 27, 2015
Rogue Wave Accelerate Series Part 1 of 3
2
Jeff Hildreth, Automotive Account Manager
Rogue Wave Software
Presenter
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Agenda
• We’re all saying the same thing
• Wrangling order from chaos
• A holistic approach to cybersecurity
• Take action!
• Q&A
3© 2015 Rogue Wave Software, Inc. All Rights Reserved
Poll #1
We’re all saying the same thing
5© 2015 Rogue Wave Software, Inc. All Rights Reserved
6© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
“We all clearly created these presentations in a vacuum because we’re all using the same material.”
IQPC Automotive Cyber Security Summit, two months ago
Develop a specific strategy that fits into what we’re already doing
Be different
You have the tools already
7© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Wrangling order from chaosLook at the data you’re already faced with:
1000s of bugs
How do you handle this information overload?
HIL failure cases
Customer defects
Avg. number of security
risks:
22.4
Safety requirement
s
8© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Security information overload
NewsBlogs, social media
conferences
Security standardsOWASP, CWE, CERT, etc.Senator Markey report
NVD, White Hat, Black Hat OEMs, internal
Media More and more software running inside your carStandards and legislation
Research Requirements
Developers don’t know security
(80% failed security knowledge survey)
Poll #2
A holistic approach to cybersecurity
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10
Threat Model
Internal Threat Metric
External Data Action
Information overload Develop an adaptive threat model
11© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Threat model
Scanning to discover openThreat modelling identifies, quantifies, and
addresses security risks by:
1. Understanding the application & environment
2. Identifying & prioritizing threats3. Determining mitigation actions
Identify Assets
System Overvie
w
Decompose Applicatio
nIdentify Threats
Prioritize Threats
12
External data sources
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Standards• Common Weakness
Enumeration (MITRE)• Open Web Application
Security Project (OWASP)
• CERT (Carnegie Mellon University)
National Governing Bodies
CVE database National Vulnerability
Database
OEM RFP requirements
ResearchWhite Hat/Black Hat
University studies
Media
Development Team
Poll #3
14
Internal metrics
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Testing
Automated unit testsHardware in the Loop (HIL) testing
Security Team
Penetration tests
Open source scanning
Software Tools
Static Code Analysis (SCA)
Compiler warnings
Requirements
Development Team
15
Developing a Threat Metric
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Build score• Automated and functional testing gives you a pass/fail metric on
every run of the test suite• A metric can be generated from penetration testing based on the
number of exploitable paths in your code base• Software tools give you a count of critical static analysis and
compiler warnings • A metric can be developed based on the presence of snippets of
open source code previously undetected or open source with new known vulnerabilities
• All of these metrics can be generated on every build of your software
AcceptSprint 1
Sprint 2
Sprint n Release
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Release to
Market
Integrate and Test
Integrate and TestIntegrate
and Test
Agile development: Integrated security
Characteristics• Multiple testing
points• Rapid feedback
required• “Outside”
testing does not meet agile needs
16© 2015 Rogue Wave Software, Inc. All Rights Reserved.
17
Standards
Governing bodies OEM RFP requirements
Research
Media Continuous metric updates
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Testing
Pen tests OSS scanning
Software tools
Requirements
Development Team
18
Example: ECU
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Front ADAS Gateway Infotainment
Rear distribution
amplifier
Camera
RadarX by wire
Telematics
Power train
Camera
Radar
19
Static code analysis (SCA)
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Static code analysis
Traditionally used to find simple, annoying bugs
Modern, state-of-the-art SCA:
Sophisticated inter-procedural control and
data-flow analysis
Model-based simulation of runtime
expectation
Provides an automated view of all
possible execution paths
Find complex bugs and runtime errors, such as
memory leaks, concurrency violations,
buffer overflows
Check compliance with internationally
recognized standards:
MISRACWE
OWASPISO2626
2
20
Static code analysis
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Keep your metric up to date• Standards: rely on your static code analysis vendor to provide
updates to the latest security standards • Research: rely on your vendor to develop custom rules based
on research shared by security analysts • OEM requirements: prove that standards have been enforced
21
Take action
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Check code faster• Issues identified at your desktop
– Correct code before check-in– All areas impacted by a given
defect are highlighted– After system build, the impact of
other developers’ code is also delivered to the desktop for corrective action
• Create custom checkers to meet specific needs
• Debugger-like call-stack highlights the cause of the issues
• Context-sensitive help provides industry best-practices and explanations
50% of defects
introduced here
Build Analysis
/ Test
22
Open source scanning
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Keep your metric up to date• Deploy a governance and provisioning platform to white
list/black list open source packages • Be informed when new vulnerabilities are published through the
National Vulnerability Database • Know what’s in your source code by scanning for snippets that
have been copied and pasted
23
Measuring open source risks
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
• Know your inventory with OSS scanning– Automated, repeatable way to locate OSS packages (and
packages within packages!) and licensing obligations– Look for scanning tools that:
• are SaaS – easier to set up and maintain• Protect your IP by not requiring source code upload
• Maintain OSS support– Get notified of latest patches, risks, bugs
• Establish an OSS policy to minimize risk– Use only trusted packages– Notify and update security fixes
24
Scan results example
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
25© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Conclusions
The application security world is fluid
Create concrete, actionable strategies
(Threat Metric, analysis & scanning)
Delivery cycles are short Update regularly with well-
defined process(Agile, CI)