top 5 best practice for delivering secure in-vehicle software

Top 5 best practices for delivering secure in-vehicle softwareEmbedded World Exhibition & Conference

February 26, 2015

Rod Cope, CTO

Presenter

Rogue Wave Software

Agenda

• Setting the stage

• Best practices

– Manage and mitigate issues

– Build security into your development

workflow

– Enforce standards and ensure compliance

– Manage open source risk

– Streamline with continuous integration

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Setting the stage

Automotive hacks are well documented

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5

Increasing complexity: Connected cars


Software is growing fast

0 50 100 150 200 250 300 350

USAF F-22

USAF F-35 JSF

Avg Ford car 2009

Boeing 787 Dreamliner

Avg Ford car 2010

S-class Nav 2009

Avg luxury car 2010

Avg luxury car 2014*

LOC (millions)

*Estimated Sources: IEEE Automotive Designline, IEEE Spectrum


Open source is great (but has risks)

Benefits

mature libraries

leveraged development effort

massive peer review

little to no cost

Risks

licensing

security

bugs

lack of support

Most organizationsdon’t know where and how

OSS is being used

“By 2016, 99% of Global 2000 enterprises will use open source in

mission-critical software”- Gartner


Practice #1:

Manage and mitigate issues

How do security issues happen?

Data breaches are the result of one flawed assumption

Most breaches result from input trust issues

OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today

Heartbleed: buffer

overflow

CWE is a community-driven identification of weaknesses


Cross-site scripting

SQL injectionUnvalidated

input

Incoming data is well-

formed

Security is not a priority

Survey:1700 developers,

80% of them incorrectly answered key

questions surrounding the protection of

sensitive data

Lack of focus

Lack of time

Organizations have failed to prevent

attacks

Lack of tools/proper tools

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS

RESERVED

Static code analysis and testing

Traditionally used to find simple, annoying bugs

Modern, state-of-the-art SCA

Sophisticated inter-procedural control and

data-flow analysis

Model-based simulation of runtime expectation

Provides an automated view of all possible

execution paths

Find complex bugs and security issues, such as

memory leaks, concurrency violations,

buffer overflows

Check compliance with internationally

recognized standards

MISRACWE

OWASPISO26262


Who owns security?

Security is everyone’s responsibility

Developers

Focused on making code functional

Meeting deadlines

Developing code faster

Security is an afterthought

IT

Cleaning up the aftermath of breaches

Preventing system hacks

Creating a safe structure

Security is a priority

Tools

Automate detection of vulnerabilities

Fit into existing processes

Aggregate reports to see trends


Practice #2:

Build security into your

development workflow

What not to do

• Write a book…

• 1500 pages long…

• Run the spellchecker


The faster you find a defect, the less costly to fix

1X 3X 5X 10X

100X

Requirements Architecture Construction System Test Post Release $139$455 $977

$7,136

$14,103

Requirements Design Coding Testing MaintenanceTime Detected

Co

st t

o F

ix

Specification

Design

Code

Unit Test

System Test

UAT

Release

Co

st t

o F

ix

Lifecycle Stage

Co

st t

o F

ix

Development Unit Tests QA Testing Production

Time


Analysis earlier in the cycle

Eliminates new defects from being checked back into the team level build

No extra work for developers

In-context checking and fixes

Continuity of development flow

Edit SaveAnalyze

& FixCompile Test Check In Build

Development Cycle


All of the supply chain needs to be secure, not just your code but the code of the packages included in your software

Follow a well-known security standard applicable to your domain

What else can you do?

Need to “bake in” security

Educate the development team, provide security based training

Automate to find flaws as soon as possible!


Practice #3:

Enforce standards and

ensure compliance

ISO 26262

Functional Safety Hazard and Risk Analysis

IEC 61508 IEC 60601 ISO 14971

IEC 62304EN 5012x EN 81IEC 62061ISO 61511ISO 26262

Railways MachineryCars Process Elevators Medical

478 pages (English Version)

670 pages (English Version)

Relationship between ISO 26262 and IEC 61508

...


A certified analysis tool


Certified results for the Software Verification Report (ISO 26262, section 6)

Accurate within the definitions and scopes documented for the tool

Provides dependable, repeatable results

Tool is pre-qualified with evidence artifacts If following usage patterns and requirements defined in the

safety manual, no further qualification work required In other cases, the tool qualification package can be

extended to provide necessary qualification evidence

Reduces tool qualification effort (ISO 26262, section 8)

MISRA standards


Coding standard, not functional safety like ISO 26262

Write safer software from the beginning using a restrictive

subset of the language

C library dynamic memory –surely the worst possible

thing?

How do we check for correct usage?

Rule 20.4 (required)

Dynamic heap memory allocation shall not be used

Example from MISRA C 2004

How can SCA tools help?

Prove compliance to coding guidelines and coding rules

Boost overall development productivity


• Nearly all functional safety standards recommend or require use

of language subsets

• SCA tools enforce such rules with feedback to developers and

reports showing compliance or gaps

• Detect security, reliability, maintainability issues as early in the

development process as possible

• No time wasted finding coding errors in texting

• Allows focus on testing functionality, which is likely to generate

better software

Practice #4:

Manage open source risk

The state of OSS

• 76% of organizations lack meaningful controls over

OSS selection and use

• 80% of developers need not prove security of OSS

they are using

• 20% of the organizations claim to track

vulnerabilities in OSS over time

– 11 million developers worldwide make 13 billion open

source requests each year.


Increased use + few controls = unmanaged risk

OSS standards

team

Step 1: Define policies

Create policies based on needs assessment

Adopt governance based on requirements

Security, maintenance, support, and training

Internal vs. commercially-distributed software

Supply chain intake:- 3rd party software

- Outsourced development

Acquisition and approval strategies and workflows

Ongoing audits and compliance documentation

Industry or supply chain mandates

OSS review board

OSS compliance

officer


Step 2: Know your inventory

What’s in your codeline?

Scan for OSS

Identify embedded projects, files, or code snippets

Adaptive, real-time updatesReveal licensing and copyright/copyleft

information

Internal policy

compliance

Analyze for risk

OSS useLicensing and compliance

permissive & copyleft

OSS within other OSS and binaries

External policy

compliance


Step 3: Promote safe ongoing use

Ongoing governance

Support and maintenance

Baseline and continuous delta scans

Open source repository that reflects policy and

compliance

Proactive version and security update

notifications

Monitor for security risks and software updates

Continuity regardless of internal changes or team

realignment

Downstream IT application use and management

Who supports your OSS

code?


Practice #5:

Streamline with continuous

integration

The age of consumer demands

“Assembling” vs. “code from scratch” is the new ethos

Increased need for pipeline automation to simplify and

streamline delivery

Complexity and size increasing

Security and compliance are immediate concerns

Open source use increasing


Automation is key to successful CI

Scanning to discover open

Automate the discovery of security weaknesses, compliance violations, defects


Self-testing frees up developers timeRun as part of Continuous Integration


Identify areas of bad codeProve safety and compliance

Continuous Integration and Continuous DeliveryAutomate the build process

Continuous Testing and static analysis

Valuable feedback and visible results

Automate testing

Automate reporting


See us in action:

www.roguewave.com

Rod [email protected]

top 5 best practice for delivering secure in-vehicle software

Software

security issues

code faster security

safe structure security

data breaches

avg luxury car

dreamliner avg ford

jsf avg ford car

input trust issues owasp