Discover how to create a viable Connected Car business model and drive consumer uptake through a safer driving experience. Everyone is aware of the need to worry about security but it isn't just about security--it's about all of the coding fundamentals including code quality, security, and open source management.
In this presentation you will learn how to:
-Measure the gaps in your developer's code first: Nearly 90% of all detected security holes can be traced back to just ten types of vulnerabilities
-Educate your developers: 57% of people don't think automotive software development teams have the skills necessary to combat software security threats
-Empower your developers with the right policies, processes, and tools to fill these gaps: 48% of people believe one of the main challenges of security automobile software is due to lack of defined corporate application security policies
This issue had fixes in a couple of files, but this is probably the most important spot. The problem here is pretty subtle, and you’d need to understand the surrounding context to make a lot of sense of it, but due to the logical OR you can come through this path when issue token is set to one, yet you don’t have a valid time stamp. Meaning, you’re allowing the caller to get the next token without properly checking the request.
The fix changes the code a bit, but fundamentally, it makes the control logic easier to see and much clearer. This is a good practice to get into—don’t use a bunch of tricky nested conditionals or pile up statements with side-effects, or you might not get the result you intended. For the fix, we clear the “issue token” flag at the start, and we only set it if we pass through the conditionals and have a valid timestamp. Now the attacker gets caught if they issue bad requests.
Only 30% of developers believe that software updates should be handled by OTA
Modern SCA discovers issues far deeper in code and then ever before - due to cutting-edge algorithms and faster hardware - allowing tools to go well beyond simple defects into very complex interactions, standards compliance, and custom checkers.
SCA products are now engineered so the tool pushes the chosen security coding standards and their associated checkers and taxonomies to every developer's desktop. Everyone is notified as they write their code if they have violated the standards or introduced any vulnerabilities or defects. Fix any potential software security problems immediately, before code check-in. This frees up valuable developer time to work on more critical assignments.
Most organizations need to comply with multiple coding standards to ensure software security. Klocwork includes built-in checkers to support all of the leading standards.
Klocwork ships with hundreds of checkers. Our source code analysis engine can be tailored to enforce the rules for compliance with each standard by enabling or disabling individual checkers or full checker groups to meet the specific needs of your software development environment and processes. We've also worked with some of the largest consumer, military, communications, electronic, mobile and other companies in the world to create a checker API, providing your teams the ability to quickly and easily create customized security checkers.
The statistics we’ve used on the frequency of vulnerability problems is from this data. They provide a fantastic resource, but there’s a huge amount of info there. We’ve tried to boil that vast repository of vulnerability info into the tips that will best help the embedded engineer.
We are focused on finding problems that affect software that could be used within an automotive telematics or infotainment system. We screened the vulnerability database to remove web, server, scripting, CRM or anything else that wasn’t embedded, however the types of problems we’re discussing are common to a large number of varying types of embedded systems, not just automotive.
All of the examples come from actual source code—we look at some of the real vulnerabilities reported this year and see how they were fixed.