The document discusses enhancing application security through improved code confidence, emphasizing the need for a holistic cybersecurity strategy and addressing risks like network intrusion and code vulnerabilities. It suggests that organizations must integrate security into their software development processes, educate teams, and implement automated testing. Key takeaways include the importance of maintaining a secure supply chain, regular updates to security metrics, and the need for adaptable threat models tailored to specific needs.

1. Create code confidence for
better application security
June 11, 2015
SC Congress Toronto 2015

2. Jeff Hildreth, Automotive Account Manager
Rogue Wave Software
Presenter

3. How many people are
ready for a sales pitch?

4. Agenda
• We’re all saying the same thing
• Wrangling order from chaos
• A holistic approach to cybersecurity
• Take action!
• Conclusions: Managing your Supply Chain
• Q&A

5. We’re all saying the same thing

6. Network intrusions
6© 2015 Rogue Wave Software, Inc. All Rights Reserved.

7. Information theft
7© 2015 Rogue Wave Software, Inc. All Rights Reserved.

8. Outside reprogramming of systems
8© 2015 Rogue Wave Software, Inc. All Rights Reserved.

9. Code vulnerabilities
9© 2015 Rogue Wave Software, Inc. All Rights Reserved.

10. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10
“We all clearly created these presentations in a vacuum because we’re all
using the same material.”
IQPC Automotive Cyber Security Summit, two months ago
Develop a specific strategy that fits into what we’re already doing
Be different
You have the tools already

11. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 11
Wrangling order from chaos
Look at the data you’re already faced with:
1000s of
bugs
How do you handle this information overload?
Run time
simulation
testing
Customer
defects
Avg. number
of security
risks:
22.4
Safety
requirements

12. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 12
Security overload
News
Blogs, social media
conferences
Security standards
OWASP, CWE, CERT, etc.
Senator Markey report
NVD, White Hat, Black Hat OEMs, internal
Media More and more software running inside
your car
Standards and legislation
Research Requirements
Developers don’t know security
(80% failed security knowledge survey)

13. Where do organizations fail?
Organizations have failed to prevent attacks
Lack of time Lack of focus/
priority
Lack of
tools/proper
tools
Survey:
1700 developers,
80% of them
incorrectly answered
key questions
surrounding the
protection of
sensitive data
SQL injection
Unvalidated
input
Cross-site
scripting
Most breaches result from input trust issues
Heartbleed:
buffer overrun
BMW patch:
HTTP vs. HTTPS
© 2015 Rogue Wave Software, Inc. All Rights Reserved. 9

14. What are the risks?
• Risks
include
Network intrusion
Information theft
Outside reprogramming of systems
Code vulnerabilities
14© 2015 Rogue Wave Software, Inc. All Rights Reserved.

15. All of the supply chain needs to be secure, not just your code but the code of the
packages included in your software
Follow a well-known security standard applicable to your domain
What can you do?
Need to “bake in” security
Educate the development team, provide security based training, guidance and
checklists
Automate!
15
Perform Threat Assessment
© 2015 Rogue Wave Software, Inc. All Rights Reserved.

16. Do you agree that
security testing adds 25%
of time to your release
schedule?

17. Accept
Sprint 1
Sprint 2
Sprint n Release
Change
Adjust and Track
Feedback
Review
Next Iteration
No!
Yes!
Release
to
Market
Integrate
and Test
Integrate
and Test
Integrate
and Test
Agile Development – Integrated Security
Characteristics
• Multiple testing
points
• Rapid feedback
required
• “Outside” testing
does not meet
agile needs

18. Idea
proposed
Understand
Needs & Invent
Solutions
Develop,
Commit &
Build
Functional
Testing
Deploy
Solution
Customer
Value
Load,
Performance,
Security, …
Testing
UAT/
Exploratory
Testing
Release
Decision
• Too Much
WIP
• Inability to
quickly try
out ideas
Lack of access to dev
& test environments
• Lack of effective
build/integration
automation
• Manual testing
• Design complexity
Lack of effective
API-driven test
automation
Lack of effective release
candidate quality
information
Manual
environment
management
and
deployment
Lack of
effective
customer
insight
Ever-present bottlenecks: hand-offs and wait time
Typical bottlenecks

19. Smaller batches/
payload (Agile)
Infrastructure As
Code, Environments
On Demand, Cloned/
Templated
Environments
• Continuous
Integration
• Continuous Testing
• Loose architectural
coupling
Continuous
Testing
Sufficient test data to
make decisions
• Infrastructure
as Code
• Release
Automation
Application
analytics, CX
data
Everywhere: Cross-functional
teams, simplified roles
Idea
proposed
Understand
Needs & Invent
Solutions
Develop,
Commit &
Build
Functional
Testing
Deploy
Solution
Customer
Value
Load,
Performance,
Security, …
Testing
UAT/
Exploratory
Testing
Release
Decision
Enablers

20. A holistic approach to cybersecurity
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
20
Threat
Model
Internal
Threat
Metric
External
Data
Action
Information overload Develop an adaptive threat model

21. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 21
Threat model
 Scanning to discover open
Threat modelling identifies, quantifies, and addresses
security risks by:
1. Understanding the application & environment
2. Identifying & prioritizing threats
3. Determining mitigation actions
Identify
Assets
System
Overview
Decompose
Application
Identify
Threats
Prioritize
Threats

22. External data sources
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 22
Standards
• Common Weakness
Enumeration (MITRE)
• Open Web Application
Security Project (OWASP)
• CERT (Carnegie Mellon
University)
National Governing Bodies
CVE database
National Vulnerability
Database
OEM RFP requirements
Research
White Hat/Black Hat
University studies
Media
Development
Team

23. Would you agree that
customer requirements
have the biggest
influence on your
decisions on security
requirements?

24. Internal metrics
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 24
Testing
Automated unit tests
Hardware in the Loop
(HIL) testing
Security Team
Penetration tests
Open source scanning
Software Tools
Static Code Analysis (SCA)
Compiler warnings
Requirements
Development
Team

25. Developing a Threat Metric
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
25
Build Score
• Automated and functional testing can give you a pass fail metric on
every run of the test suite
• A metric can be generated from penetration testing based on the
number of exploitable paths in your code base
• Software quality tools can give you a count of critical static analysis
and compiler warnings
• A metric can be developed based on the presence of snippets of open
source code previously undetected or open source with new known
vulnerabilities
• All of these metrics can be generated on every build of your software

26. Smaller batches/
payload (Agile)
Infrastructure As
Code, Environments
On Demand, Cloned/
Templated
Environments
• Continuous
Integration
• Continuous Testing
• Loose architectural
coupling
Continuous
Testing
Sufficient test data to
make decisions
• Infrastructure
as Code
• Release
Automation
Application
analytics, CX
data
Everywhere: Cross-functional
teams, simplified roles
Idea
proposed
Understand
Needs & Invent
Solutions
Develop,
Commit &
Build
Functional
Testing
Deploy
Solution
Customer
Value
Load,
Performance,
Security, …
Testing
UAT/
Exploratory
Testing
Release
Decision
Enablers

27. Standards
Governing bodies OEM RFP requirements
Research
Media
Continuous metric updates
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 27
Testing
Pen tests
OSS
scanning
Software tools
Requirements
Development
Team

28. Accept
Sprint 1
Sprint 2
Sprint n Release
Change
Adjust and Track
Feedback
Review
Next Iteration
No!
Yes!
Release
to
Market
Integrate
and Test
Integrate
and Test
Integrate
and Test
Agile Development – Integrated Security
Characteristics
• Multiple testing
points
• Rapid feedback
required
• “Outside” testing
does not meet
agile needs

29. Example: ECU
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 29
Front
ADAS
Gateway Infotainment
Rear
distribution
amplifier
Camera
Radar
X by wire
Telematics
Power
train
Camera
Radar

30. API Enabled Metrics
Producers

31. Static code analysis
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
31
Static code analysis
Traditionally used to find simple, annoying bugs
Modern, state-of-the-art SCA
Sophisticated inter-
procedural control and
data-flow analysis
Model-based simulation
of runtime expectation
Provides an automated
view of all possible
execution paths
Find complex bugs and
runtime errors, such as
memory leaks,
concurrency violations,
buffer overflows
Check compliance with
internationally
recognized standards:
MISRA
CWE
OWASP
ISO26262

32. Static Code Analysis
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
32
How to keep your metric up to date
• Standards: Rely on your static code analysis vendor to provide updates
to the latest security standards
• Research: Rely on your vendor to develop custom rules based on
research shared by security analysts
• OEM Requirements: prove that standards have been enforced

33. Take action
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
33
Check code faster
• Issues identified at your desktop
– Correct code before check-in
– All areas impacted by a given
defect are highlighted
– After system build, the impact of
other developers’ code is also
delivered to the desktop for
corrective action
• Create custom checkers to meet specific
needs
• Debugger-like call-stack highlights the
cause of the issues
• Context-sensitive help provides industry
best-practices and explanations
50% of
defects
introduced
here
Build
Analysis /
Test

34. Open source scanning
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
34
How to keep your metric up to date
• Deploy a governance and provisioning platform to white list/black list
open source packages
• Be informed when new vulnerabilities are published through the
National Vulnerability Database
• Know what is in your source code by scanning for source code
snippets that have been copied and pasted

35. Measuring open source risks
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
35
• Know your inventory with OSS scanning
– Automated, repeatable way to locate OSS packages (and
packages within packages!) and licensing obligations
– Look for scanning tools that:
• are SaaS – easier to set up and maintain
• Protect your IP by not requiring source code upload
• Maintain OSS support
– Get notified of latest patches, risks, bugs
• Establish an OSS policy to minimize risk
– Use only trusted packages
– Notify and update security fixes

36. Scan results example
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 36

37. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 37
Conclusions
The application security world is fluid
Create concrete, actionable
strategies
(Threat Metric, analysis & scanning)
Delivery cycles are short
Update regularly with well-
defined process
(Agile, CI)

38. Q&A

39. See us in action:
www.roguewave.com
Jeff Hildreth | jeff.hildreth@roguewave.com