Automobiles are incorporating a sophisticated mix of connectivity, driver assistance, and consumer device integration. Capabilities for integrating smart devices and utilizing Wi-Fi connectivity for wide area connectivity on the road is proliferating. The mix of consumer device, infotainment, and critical driver assist and safety technologies present a myriad of time to market and security challenges for auto manufacturers. Join us as auto technology experts discuss the "Auto IoT" environment and the latest tools, technologies, and design considerations for implementation and delivery.
Everyone knows these news stories – the threat to automotive code is growing and development teams struggle to find the best approach to combat it.
Data breaches are the result of one flawed assumption:
INCOMING DATA IS WELL-FORMED
Most breaches result from input trust issues
Cross-site scripting, SQL injection, unvalidated input
Heartbleed: buffer overrun
OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today
9 out of 10 items are the result of unvalidated or unprotected input
CWE is a community-driven identification of weaknesses
CWE-20: Improper Input Validation: When software does not validate input properly, an attacker is able to craft the input in a form that is not expected…which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Not only is there a lack of secure coding principles on development teams, the complexity of the software itself has grown well beyond traditional testing methods.
The IoT and the connected car just adds to the security challenges. Sensors, devices, vehicles, manufacturer apps for third-party
What attacks will these software components be exposed to?
Will it be accessible over some type of network? Is remote access possible? Is the weakness easy to comprehend by the average attacker?
How do we gauge the “security health” of code coming in?
How do we achieve compliance?
Lengthy process, unclear expectations, lots of resources
Let’s not forget the regular bugs
Can automated testing be more effective?
http://www.edn.com/design/automotive/4423428/Toyota-s-killer-firmware--Bad-design-and-its-consequences
An example of unintended behavior introduced via a supplier.
80% of software developers fail software security tests (Aspect Security)