SlideShare a Scribd company logo

Autos, Wi-Fi, and IoT

Download as PPTX, PDF
Rogue Wave Software
Rogue Wave Software

Automobiles are incorporating a sophisticated mix of connectivity, driver assistance, and consumer device integration. Capabilities for integrating smart devices and utilizing Wi-Fi connectivity for wide area connectivity on the road is proliferating. The mix of consumer device, infotainment, and critical driver assist and safety technologies present a myriad of time to market and security challenges for auto manufacturers. Join us as auto technology experts discuss the "Auto IoT" environment and the latest tools, technologies, and design considerations for implementation and delivery.

Software
1 of 17
Secure automotive software development June 24, 2015 Walter Capitani Product Manager, Klocwork
Agenda • Security in automotive software development • The software supply chain • Forging more secure code
Security in automotive software development
Automotive hacks are well documented © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 4
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5 How does this happen? Incoming data is well- formed Data breaches are the result of one flawed assumption Cross-site scripting Most breaches result from input trust issues OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today SQL injection Unvalidated input Heartbleed: buffer overrun CWE is a community-drive identification of weaknesses CWE-20: Improper Input Validation
Increasing size © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 6 Software is growing fast 0 50 100 150 200 250 300 350 USAF F-22 USAF F-35 JSF Avg Ford car 2009 Boeing 787 Dreamliner Avg Ford car 2010 S-class Nav 2009 Avg luxury car 2010 Avg luxury car 2014* LOC (millions) *Estimated Sources: IEEE Automotive Designline, IEEE Spectrum
Increasing complexity: Connected cars © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 7
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 8 So what does this mean? – Millions of lines of code, dozens of processors, each with multiple cores – Multiple systems interconnected – Some designed years ago with little or no security in mind – New code, COTS, suppliers, legacy, open source – Different platforms, people, and processes – Vulnerabilities and bugs will last for years – Not an easy update/upgrade path – Automation will be critical – Certification is inevitable More and more software running inside your car More and more software running inside your car Multiple sources of software being integrated Software running your car could remain that way for many years This requires a very significant security and functional verification process
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 9 Problems What attacks will these software components be exposed to? Will it be accessible over some type of network? Remote access? How do we gauge the security health of code coming in? How do we measure compliance? Lengthy process, unclear expectations, lots of resource Are we spending time on “regular” bugs? Can automated testing be more effective? Do you have confidence in your suppliers? The Open Source community?
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10 Software supply chain What happens when outsourcing goes wrong? Software suppliers can introduce risks (security, functional, compliance) before they reach you Different platforms, processes, tools, standards, etc. require more effort to assess, test, and standardize If hooks are left in the code, sensitive data can be sent back to the supplier
Software supply chain - example © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 11 Toyota unintended acceleration - Electronic Throttle Control System (ETCS) • “…used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor- supplied version was not certified compliant” 1 • The ECU software also used recursion (prohibited!), which would be detected by MISRA 2004 compliant source code analysis
Forging more secure code
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 13 All of the supply chain needs to be secure, not just your code but the code of the packages included in your software Follow a well-known security standard applicable to your domain What can you do? Need to “bake in” security Educate the development team, provide security based training Automate!
What can automation do? © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 14 Automate the build process Automate testing Automate reporting  Scanning to discover open Automate the discovery of security weaknesses, compliance violations, defects  Scanning to discover open Free up developer’s time  Scanning to discover open Seeing trends helps identify areas of bad code
Analysis and testing © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 15 Static code analysis Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and runtime errors, such as memory leaks, concurrency violations, buffer overflows Check compliance with internationally recognized standards: MISRA CWE OWASP ISO26262
Analysis and testing © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 16 Check code faster • Issues identified at your desktop – Correct code before check-in – All areas impacted by a given defect are highlighted – After system build, the impact of other developers’ code is also delivered to the desktop for corrective action • Create custom checkers to meet specific needs • Debugger-like call-stack highlights the cause of the issues • Context-sensitive help provides industry best-practices and explanations 50% of defects introduced here Build Analysis / Test
Autos, Wi-Fi, and IoT

Recommended

Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Rogue Wave Software
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
Rogue Wave Software
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 

Recommended

Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Rogue Wave Software
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
Rogue Wave Software
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
Waratek Ltd
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
Parasoft
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
new cv najah
new cv najahnew cv najah
new cv najah
Najah Kuttiady
 
Shelf help final presentation (eecs 441)
Shelf help final presentation (eecs 441)Shelf help final presentation (eecs 441)
Shelf help final presentation (eecs 441)
Humza Siddiqui
 

More Related Content

What's hot

Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
Parasoft
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 

What's hot (20)

Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 

Viewers also liked

Tips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad LaskyTips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad Lasky
WordCamp Sydney
 
Ahmed Anwar Senior Architect
Ahmed Anwar Senior Architect Ahmed Anwar Senior Architect
Ahmed Anwar Senior Architect
Ahmed Anwar
 
Mahmoud Mostafa Mohamed Lashen
Mahmoud Mostafa Mohamed LashenMahmoud Mostafa Mohamed Lashen
Mahmoud Mostafa Mohamed Lashen
mahmoud lashen
 

Viewers also liked (15)

new cv najah
new cv najahnew cv najah
new cv najah
 
Shelf help final presentation (eecs 441)
Shelf help final presentation (eecs 441)Shelf help final presentation (eecs 441)
Shelf help final presentation (eecs 441)
 
GlassFish v3 Prelude Aquarium Paris
GlassFish v3 Prelude Aquarium ParisGlassFish v3 Prelude Aquarium Paris
GlassFish v3 Prelude Aquarium Paris
 
Hu sb maersk_5.3_final
Hu sb maersk_5.3_finalHu sb maersk_5.3_final
Hu sb maersk_5.3_final
 
Tips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad LaskyTips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad Lasky
 
Fortaleciendo las competencias de los lideres
Fortaleciendo las competencias de los lideresFortaleciendo las competencias de los lideres
Fortaleciendo las competencias de los lideres
 
Ahmed Anwar Senior Architect
Ahmed Anwar Senior Architect Ahmed Anwar Senior Architect
Ahmed Anwar Senior Architect
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open source
 
Future of blogging 2016
Future of blogging 2016Future of blogging 2016
Future of blogging 2016
 
Fanless Embedded PCs for Outdoor Kiosks Applications Guide
Fanless Embedded PCs for Outdoor Kiosks Applications GuideFanless Embedded PCs for Outdoor Kiosks Applications Guide
Fanless Embedded PCs for Outdoor Kiosks Applications Guide
 
Mahmoud Mostafa Mohamed Lashen
Mahmoud Mostafa Mohamed LashenMahmoud Mostafa Mohamed Lashen
Mahmoud Mostafa Mohamed Lashen
 
9 Tips om te groeien op Instagram - Interieur branche
9 Tips om te groeien op Instagram - Interieur branche 9 Tips om te groeien op Instagram - Interieur branche
9 Tips om te groeien op Instagram - Interieur branche
 
климатични пояси и области в европа
климатични пояси и области в европаклиматични пояси и области в европа
климатични пояси и области в европа
 
Hallmark Business Connections
Hallmark Business ConnectionsHallmark Business Connections
Hallmark Business Connections
 
FMUK - E-business & E-marketing 3.10.2016: Webdesign: čo treba pre úspešný we...
FMUK - E-business & E-marketing 3.10.2016: Webdesign: čo treba pre úspešný we...FMUK - E-business & E-marketing 3.10.2016: Webdesign: čo treba pre úspešný we...
FMUK - E-business & E-marketing 3.10.2016: Webdesign: čo treba pre úspešný we...
 

Similar to Autos, Wi-Fi, and IoT

Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTDeliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Perfecto by Perforce
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
IBM Security
 
real simple reliable software
real simple reliable software real simple reliable software
real simple reliable software
AnnMarieNeufelder1
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
TechWell
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
OpSource
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
baoyin
 
Secure development of code
Secure development of codeSecure development of code
Secure development of code
SalomeVictor
 

Similar to Autos, Wi-Fi, and IoT (20)

Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTDeliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CT
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
real simple reliable software
real simple reliable software real simple reliable software
real simple reliable software
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Secure development of code
Secure development of codeSecure development of code
Secure development of code
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 

More from Rogue Wave Software

Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
Rogue Wave Software
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
Rogue Wave Software
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
Rogue Wave Software
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
Rogue Wave Software
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
Rogue Wave Software
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
Rogue Wave Software
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
Rogue Wave Software
 

More from Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data Perspective
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for you
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the future
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOS
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calm
 

Recently uploaded

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 

Recently uploaded (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 

Autos, Wi-Fi, and IoT

  • 1. Secure automotive software development June 24, 2015 Walter Capitani Product Manager, Klocwork
  • 2. Agenda • Security in automotive software development • The software supply chain • Forging more secure code
  • 4. Automotive hacks are well documented © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 4
  • 5. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5 How does this happen? Incoming data is well- formed Data breaches are the result of one flawed assumption Cross-site scripting Most breaches result from input trust issues OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today SQL injection Unvalidated input Heartbleed: buffer overrun CWE is a community-drive identification of weaknesses CWE-20: Improper Input Validation
  • 6. Increasing size © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 6 Software is growing fast 0 50 100 150 200 250 300 350 USAF F-22 USAF F-35 JSF Avg Ford car 2009 Boeing 787 Dreamliner Avg Ford car 2010 S-class Nav 2009 Avg luxury car 2010 Avg luxury car 2014* LOC (millions) *Estimated Sources: IEEE Automotive Designline, IEEE Spectrum
  • 7. Increasing complexity: Connected cars © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 7
  • 8. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 8 So what does this mean? – Millions of lines of code, dozens of processors, each with multiple cores – Multiple systems interconnected – Some designed years ago with little or no security in mind – New code, COTS, suppliers, legacy, open source – Different platforms, people, and processes – Vulnerabilities and bugs will last for years – Not an easy update/upgrade path – Automation will be critical – Certification is inevitable More and more software running inside your car More and more software running inside your car Multiple sources of software being integrated Software running your car could remain that way for many years This requires a very significant security and functional verification process
  • 9. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 9 Problems What attacks will these software components be exposed to? Will it be accessible over some type of network? Remote access? How do we gauge the security health of code coming in? How do we measure compliance? Lengthy process, unclear expectations, lots of resource Are we spending time on “regular” bugs? Can automated testing be more effective? Do you have confidence in your suppliers? The Open Source community?
  • 10. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10 Software supply chain What happens when outsourcing goes wrong? Software suppliers can introduce risks (security, functional, compliance) before they reach you Different platforms, processes, tools, standards, etc. require more effort to assess, test, and standardize If hooks are left in the code, sensitive data can be sent back to the supplier
  • 11. Software supply chain - example © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 11 Toyota unintended acceleration - Electronic Throttle Control System (ETCS) • “…used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor- supplied version was not certified compliant” 1 • The ECU software also used recursion (prohibited!), which would be detected by MISRA 2004 compliant source code analysis
  • 13. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 13 All of the supply chain needs to be secure, not just your code but the code of the packages included in your software Follow a well-known security standard applicable to your domain What can you do? Need to “bake in” security Educate the development team, provide security based training Automate!
  • 14. What can automation do? © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 14 Automate the build process Automate testing Automate reporting  Scanning to discover open Automate the discovery of security weaknesses, compliance violations, defects  Scanning to discover open Free up developer’s time  Scanning to discover open Seeing trends helps identify areas of bad code
  • 15. Analysis and testing © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 15 Static code analysis Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and runtime errors, such as memory leaks, concurrency violations, buffer overflows Check compliance with internationally recognized standards: MISRA CWE OWASP ISO26262
  • 16. Analysis and testing © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 16 Check code faster • Issues identified at your desktop – Correct code before check-in – All areas impacted by a given defect are highlighted – After system build, the impact of other developers’ code is also delivered to the desktop for corrective action • Create custom checkers to meet specific needs • Debugger-like call-stack highlights the cause of the issues • Context-sensitive help provides industry best-practices and explanations 50% of defects introduced here Build Analysis / Test

Editor's Notes

  1. Everyone knows these news stories – the threat to automotive code is growing and development teams struggle to find the best approach to combat it.
  2. Data breaches are the result of one flawed assumption: INCOMING DATA IS WELL-FORMED Most breaches result from input trust issues Cross-site scripting, SQL injection, unvalidated input Heartbleed: buffer overrun OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today 9 out of 10 items are the result of unvalidated or unprotected input CWE is a community-driven identification of weaknesses CWE-20: Improper Input Validation: When software does not validate input properly, an attacker is able to craft the input in a form that is not expected…which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.
  3. Not only is there a lack of secure coding principles on development teams, the complexity of the software itself has grown well beyond traditional testing methods.
  4. The IoT and the connected car just adds to the security challenges. Sensors, devices, vehicles, manufacturer apps for third-party
  5. What attacks will these software components be exposed to? Will it be accessible over some type of network? Is remote access possible? Is the weakness easy to comprehend by the average attacker? How do we gauge the “security health” of code coming in? How do we achieve compliance? Lengthy process, unclear expectations, lots of resources Let’s not forget the regular bugs Can automated testing be more effective?
  6. http://www.edn.com/design/automotive/4423428/Toyota-s-killer-firmware--Bad-design-and-its-consequences An example of unintended behavior introduced via a supplier.
  7. 80% of software developers fail software security tests (Aspect Security)