Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Five ways to protect your software supply chain from hacks, quacks, and wrecks

492 views

Published on

Software security is making headlines today, whether it's alarming data breaches, frustrating service downtimes, or expensive product recalls. It's more important than ever for organizations to know where their embedded software is coming from and how it's being developed - protecting against security hacks, quality quacks, and safety wrecks.
Understanding how these failures occur and identifying steps to minimize them across the supply chain is key to protecting you and your organization from costly fixes and lost satisfaction. This paper will explain how defects are introduced into code bases and how you can combat them by discussing common security threats and standards, code safety considerations (such as ISO 26262), and how continuous automated testing can enforce risk mitigation strategies across the entire supply chain.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Five ways to protect your software supply chain from hacks, quacks, and wrecks

  1. 1. Five ways to protect your software supply chain from hacks, quacks, & wrecks Embedded World Exhibition & Conference February 25, 2015
  2. 2. Rod Cope, CTO Presenter © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 2 Rogue Wave Software
  3. 3. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 3 Challenging automotive software How defects are introduced Five strategies Q&A Agenda
  4. 4. Challenging automotive software
  5. 5. Automotive hacks are well documented © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5
  6. 6. 6 2014 marked the highest number of recalls ever, affecting over 60 million vehicles The number of data breaches has climbed steadily in the past 10 years: 800 predicted in 2015 Real numbers © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 6
  7. 7. How defects are introduced
  8. 8. 8 “What really amazes me is the sheer number of lines of code of software running on all these ECUs, especially if compared to other products and computer software. A modern high-end car features around 100 million lines of code, and this number is planned to grow to 200-300 millions in the near future.” - Andrea Busnelli © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 8
  9. 9. The software supply chain Open source Your product Legacy COTS Contractors ISV Integrate test Cost to fix defects $$$$ $ © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 9
  10. 10. 10 What happens when outsourcing goes wrong? Software suppliers can introduce risks (security, functional, compliance) before they reach you Different platforms, processes, tools, standards, etc. require more effort to assess, test, and standardize If hooks are left in the code, sensitive data can be sent back to the supplier The software supply chain © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10
  11. 11. Toyota unintended acceleration – Electronic Throttle Control System (ETCS) “…used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor-supplied version was not certified compliant” The software supply chain – example © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 11
  12. 12. Our changing workplace Agile, continuous integration, continuous delivery Understanding processes Educating teams Implementing tools Enforcing compliance Measuring success Adopting new standards Systems integrators vs. systems builders Multiple development teams © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 12
  13. 13. The Internet of Things (connected car) © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 13
  14. 14. So what does this mean? – Cars with millions of lines of code, dozens of processors – Multiple systems interconnected – Designed years ago without security in mind – New code, COTS, suppliers, legacy, open source – Different platforms, people, and processes – Vulnerabilities and bugs will last for years – Not an easy update/upgrade path – Automation will be critical – Certification is inevitable More and more software running inside embedded systems More and more software running inside your car Multiple sources of software being integrated Software that has to run for many years This requires a very significant security, safety, & functional verification process © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 14
  15. 15. Strategy #1 Adopt proven, accepted standards
  16. 16. Not-so industry standard Go beyond the standards you know already OWASP Top 10 identifies common vulnerabilities from over 500,00 issues being researched today CWE is a community-drive identification of weaknesses CWE-20: Improper Input Validation Well-known, proven security standards © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 16 ISO 26262 MISRA (automotive)
  17. 17. Strategy #2 Promote software policies
  18. 18. Open source example Open source fills a specific technical gap in your product or development environment – delivered “as is” and rarely created with security in mind Most organizations don’t know where and how OSS is being used Using risky components is #9 on OWASP’s Top 10 list Over 50% of enterprise organizations adopt and contribute to OSS today © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 18
  19. 19. Promote smart open source use  Use only trusted packages  Notify and update security fixes Reduce technical risk with OSS support  Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations  Look for scanning tools that are SaaS and protect your IP by not requiring source code upload Know your inventory with OSS scanning  Get notified of latest patches, risks, and bugs Establish an OSS policy to minimize risk © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 19
  20. 20. Strategy #3 Find security flaws earlier
  21. 21. How do hacks happen? Data breaches are the result of one flawed assumption: Most breaches result from input trust issues SQL injection Unvalidated input Heartbleed: buffer overrun BMW patch: HTTP vs. HTTPS Cross-site scripting Incoming data is well-formed © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 21
  22. 22. All of the supply chain needs to be secure, not just your code but the code of the packages included in your software Follow a well-known security standard applicable to your domain What can you do? Need to “bake in” security Educate the development team, provide security based training Automate to find flaws as soon as possible! © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 22
  23. 23. Strategy #4 Deploy automatic, agile testing
  24. 24. Build into process Automate the build process Automate testing Automate the discovery of security weaknesses, compliance violations, defects Free up developer’s time © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 24
  25. 25. Analysis and testing Static code analysis Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data- flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and runtime errors, such as memory leaks, concurrency violations, buffer overflows Check compliance with internationally recognized standards: MISRA CWE OWASP ISO26262 © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 25
  26. 26. Check code faster • Issues identified at developer’s desktop – Correct code before check-in – All areas impacted by a given defect are highlighted – After system build, the impact of other developers’ code is also delivered to the desktop for corrective action • Create custom checkers to meet specific needs • Debugger-like call-stack highlights the cause of the issues • Context-sensitive help provides industry best-practices and explanations 50% of defects introduced here Build Analysis / Test © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 26 Analysis and testing
  27. 27. Strategy #5 Stay on top of things
  28. 28. Build into process Automate the build process Automate testing Automate reporting Automate the discovery of security weaknesses, compliance violations, defects Free up developer’s time Seeing trends helps identify areas of bad code © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 28
  29. 29. Monitor issues closely Security Vulnerabilities License Violation © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 29
  30. 30. Q&A
  31. 31. See us in action: www.roguewave.com Rod Cope rod.cope@roguewave.com

×