SlideShare a Scribd company logo

Top 5 best practices for delivering secure in-vehicle software

Rogue Wave Software
Rogue Wave Software

This document outlines best practices for delivering secure in-vehicle software. It discusses five practices: 1) Manage and mitigate issues through static code analysis and testing to find vulnerabilities early, 2) Build security into the development workflow by integrating security checks from the start, 3) Enforce standards and ensure compliance with tools to check for adherence to guidelines like MISRA and ISO 26262, 4) Manage open source risk through policies, inventorying, and ongoing governance, and 5) Streamline processes with continuous integration, automation, and security/compliance checks integrated into the pipeline. The presentation emphasizes finding and fixing issues early, making security everyone's responsibility, and using tools to enforce best practices.

Software
1 of 34
Download to read offline
Top 5 best practices for delivering secure in- vehicle software Embedded World Exhibition & Conference February 26, 2015
Rod Cope, CTO Presenter Rogue Wave Software
Agenda • Setting the stage • Best practices – Manage and mitigate issues – Build security into your development workflow – Enforce standards and ensure compliance – Manage open source risk – Streamline with continuous integration © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Setting the stage
Automotive hacks are well documented © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5
Increasing complexity: Connected cars © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Software is growing fast 0 50 100 150 200 250 300 350 USAF F-22 USAF F-35 JSF Avg Ford car 2009 Boeing 787 Dreamliner Avg Ford car 2010 S-class Nav 2009 Avg luxury car 2010 Avg luxury car 2014* LOC (millions) *Estimated Sources: IEEE Automotive Designline, IEEE Spectrum © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Open source is great (but has risks) Benefits mature libraries leveraged development effort massive peer review little to no cost Risks licensing security bugs lack of support Most organizations don’t know where and how OSS is being used “By 2016, 99% of Global 2000 enterprises will use open source in mission-critical software” - Gartner © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 8
Practice #1: Manage and mitigate issues
How do security issues happen? Data breaches are the result of one flawed assumption Most breaches result from input trust issues OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today Heartbleed: buffer overflow CWE is a community-driven identification of weaknesses © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED Cross-site scripting SQL injection Unvalidated input Incoming data is well- formed
Security is not a priority Survey: 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data Lack of focus Lack of time Organizations have failed to prevent attacks Lack of tools/proper tools © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Static code analysis and testing Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and security issues, such as memory leaks, concurrency violations, buffer overflows Check compliance with internationally recognized standards MISRA CWE OWASP ISO26262 © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 12
Who owns security? Security is everyone’s responsibility Developers  Focused on making code functional  Meeting deadlines  Developing code faster  Security is an afterthought IT  Cleaning up the aftermath of breaches  Preventing system hacks  Creating a safe structure  Security is a priority Tools  Automate detection of vulnerabilities  Fit into existing processes  Aggregate reports to see trends © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Practice #2: Build security into your development workflow
What not to do • Write a book… • 1500 pages long… • Run the spellchecker © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
The faster you find a defect, the less costly to fix 1X 3X 5X 10X 100X Requirements Architecture Construction System Test Post Release $139 $455 $977 $7,136 $14,103 Requirements Design Coding Testing MaintenanceTime Detected CosttoFix Specification Design Code Unit Test System Test UAT Release CosttoFix Lifecycle Stage CosttoFix Development Unit Tests QA Testing Production Time © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Analysis earlier in the cycle  Eliminates new defects from being checked back into the team level build  No extra work for developers  In-context checking and fixes  Continuity of development flow Edit Save Analyze & Fix Compile Test Check In Build Development Cycle © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
All of the supply chain needs to be secure, not just your code but the code of the packages included in your software Follow a well-known security standard applicable to your domain What else can you do? Need to “bake in” security Educate the development team, provide security based training Automate to find flaws as soon as possible! © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Practice #3: Enforce standards and ensure compliance
ISO 26262 Functional Safety Hazard and Risk Analysis IEC 61508 IEC 60601 ISO 14971 IEC 62304EN 5012x EN 81IEC 62061ISO 61511ISO 26262 Railways MachineryCars Process Elevators Medical 478 pages (English Version) 670 pages (English Version) Relationship between ISO 26262 and IEC 61508 ... © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
A certified analysis tool © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED  Certified results for the Software Verification Report (ISO 26262, section 6)  Accurate within the definitions and scopes documented for the tool Provides dependable, repeatable results  Tool is pre-qualified with evidence artifacts  If following usage patterns and requirements defined in the safety manual, no further qualification work required  In other cases, the tool qualification package can be extended to provide necessary qualification evidence Reduces tool qualification effort (ISO 26262, section 8)
MISRA standards © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED Coding standard, not functional safety like ISO 26262 Write safer software from the beginning using a restrictive subset of the language C library dynamic memory – surely the worst possible thing? How do we check for correct usage? Rule 20.4 (required) Dynamic heap memory allocation shall not be used Example from MISRA C 2004
How can SCA tools help? Prove compliance to coding guidelines and coding rules Boost overall development productivity © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED • Nearly all functional safety standards recommend or require use of language subsets • SCA tools enforce such rules with feedback to developers and reports showing compliance or gaps • Detect security, reliability, maintainability issues as early in the development process as possible • No time wasted finding coding errors in texting • Allows focus on testing functionality, which is likely to generate better software
Practice #4: Manage open source risk
The state of OSS • 76% of organizations lack meaningful controls over OSS selection and use • 80% of developers need not prove security of OSS they are using • 20% of the organizations claim to track vulnerabilities in OSS over time – 11 million developers worldwide make 13 billion open source requests each year. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED Increased use + few controls = unmanaged risk
OSS standards team Step 1: Define policies Create policies based on needs assessment Adopt governance based on requirements Security, maintenance, support, and training Internal vs. commercially- distributed software Supply chain intake: - 3rd party software - Outsourced development Acquisition and approval strategies and workflows Ongoing audits and compliance documentation Industry or supply chain mandates OSS review board OSS compliance officer © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Step 2: Know your inventory What’s in your codeline? Scan for OSS Identify embedded projects, files, or code snippets Adaptive, real-time updates Reveal licensing and copyright/copyleft information Internal policy compliance Analyze for risk OSS use Licensing and compliance permissive & copyleft OSS within other OSS and binaries External policy compliance © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Step 3: Promote safe ongoing use Ongoing governance Support and maintenance Baseline and continuous delta scans Open source repository that reflects policy and compliance Proactive version and security update notifications Monitor for security risks and software updates Continuity regardless of internal changes or team realignment Downstream IT application use and management Who supports your OSS code? © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Practice #5: Streamline with continuous integration
The age of consumer demands “Assembling” vs. “code from scratch” is the new ethos Increased need for pipeline automation to simplify and streamline delivery Complexity and size increasing Security and compliance are immediate concerns Open source use increasing © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 30
Automation is key to successful CI  Scanning to discover open Automate the discovery of security weaknesses, compliance violations, defects  Scanning to discover open Self-testing frees up developers time Run as part of Continuous Integration  Scanning to discover open Identify areas of bad code Prove safety and compliance Continuous Integration and Continuous DeliveryAutomate the build process Continuous Testing and static analysis Valuable feedback and visible results Automate testing Automate reporting © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Q&A
See us in action: www.roguewave.com Rod Cope rod.cope@roguewave.com
Top 5 best practices for delivering secure in-vehicle software

Recommended

Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTRogue Wave Software
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksRogue Wave Software
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Synopsys Software Integrity Group
 

Recommended

Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTRogue Wave Software
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksRogue Wave Software
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Synopsys Software Integrity Group
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsArthur Hicken
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software ComplianceParasoft
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development Rogue Wave Software
 

More Related Content

What's hot

Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsArthur Hicken
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software ComplianceParasoft
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 

What's hot (20)

Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software Compliance
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 

Similar to Top 5 best practices for delivering secure in-vehicle software

Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development Rogue Wave Software
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarRogue Wave Software
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...
INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...
INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...apidays
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 

Similar to Top 5 best practices for delivering secure in-vehicle software (20)

Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...
INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...
INTERFACE by apidays 2023 - Secure Software Development Framework (SSDF) & AP...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 

More from Rogue Wave Software

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveRogue Wave Software
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureRogue Wave Software
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationRogue Wave Software
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-timeRogue Wave Software
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyRogue Wave Software
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsRogue Wave Software
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youRogue Wave Software
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Rogue Wave Software
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Rogue Wave Software
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure successRogue Wave Software
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and complianceRogue Wave Software
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureRogue Wave Software
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)Rogue Wave Software
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Rogue Wave Software
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxRogue Wave Software
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsRogue Wave Software
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSRogue Wave Software
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migrationRogue Wave Software
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmRogue Wave Software
 

More from Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data Perspective
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for you
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the future
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOS
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calm
 

Recently uploaded

Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 

Recently uploaded (20)

Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 

Top 5 best practices for delivering secure in-vehicle software

  • 1. Top 5 best practices for delivering secure in- vehicle software Embedded World Exhibition & Conference February 26, 2015
  • 3. Agenda • Setting the stage • Best practices – Manage and mitigate issues – Build security into your development workflow – Enforce standards and ensure compliance – Manage open source risk – Streamline with continuous integration © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 5. Automotive hacks are well documented © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5
  • 6. Increasing complexity: Connected cars © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 7. Software is growing fast 0 50 100 150 200 250 300 350 USAF F-22 USAF F-35 JSF Avg Ford car 2009 Boeing 787 Dreamliner Avg Ford car 2010 S-class Nav 2009 Avg luxury car 2010 Avg luxury car 2014* LOC (millions) *Estimated Sources: IEEE Automotive Designline, IEEE Spectrum © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 8. Open source is great (but has risks) Benefits mature libraries leveraged development effort massive peer review little to no cost Risks licensing security bugs lack of support Most organizations don’t know where and how OSS is being used “By 2016, 99% of Global 2000 enterprises will use open source in mission-critical software” - Gartner © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 8
  • 9. Practice #1: Manage and mitigate issues
  • 10. How do security issues happen? Data breaches are the result of one flawed assumption Most breaches result from input trust issues OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today Heartbleed: buffer overflow CWE is a community-driven identification of weaknesses © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED Cross-site scripting SQL injection Unvalidated input Incoming data is well- formed
  • 11. Security is not a priority Survey: 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data Lack of focus Lack of time Organizations have failed to prevent attacks Lack of tools/proper tools © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 12. Static code analysis and testing Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and security issues, such as memory leaks, concurrency violations, buffer overflows Check compliance with internationally recognized standards MISRA CWE OWASP ISO26262 © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 12
  • 13. Who owns security? Security is everyone’s responsibility Developers  Focused on making code functional  Meeting deadlines  Developing code faster  Security is an afterthought IT  Cleaning up the aftermath of breaches  Preventing system hacks  Creating a safe structure  Security is a priority Tools  Automate detection of vulnerabilities  Fit into existing processes  Aggregate reports to see trends © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 14. Practice #2: Build security into your development workflow
  • 15. What not to do • Write a book… • 1500 pages long… • Run the spellchecker © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 16. The faster you find a defect, the less costly to fix 1X 3X 5X 10X 100X Requirements Architecture Construction System Test Post Release $139 $455 $977 $7,136 $14,103 Requirements Design Coding Testing MaintenanceTime Detected CosttoFix Specification Design Code Unit Test System Test UAT Release CosttoFix Lifecycle Stage CosttoFix Development Unit Tests QA Testing Production Time © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 17. Analysis earlier in the cycle  Eliminates new defects from being checked back into the team level build  No extra work for developers  In-context checking and fixes  Continuity of development flow Edit Save Analyze & Fix Compile Test Check In Build Development Cycle © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 18. All of the supply chain needs to be secure, not just your code but the code of the packages included in your software Follow a well-known security standard applicable to your domain What else can you do? Need to “bake in” security Educate the development team, provide security based training Automate to find flaws as soon as possible! © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 19. Practice #3: Enforce standards and ensure compliance
  • 20. ISO 26262 Functional Safety Hazard and Risk Analysis IEC 61508 IEC 60601 ISO 14971 IEC 62304EN 5012x EN 81IEC 62061ISO 61511ISO 26262 Railways MachineryCars Process Elevators Medical 478 pages (English Version) 670 pages (English Version) Relationship between ISO 26262 and IEC 61508 ... © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 21. A certified analysis tool © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED  Certified results for the Software Verification Report (ISO 26262, section 6)  Accurate within the definitions and scopes documented for the tool Provides dependable, repeatable results  Tool is pre-qualified with evidence artifacts  If following usage patterns and requirements defined in the safety manual, no further qualification work required  In other cases, the tool qualification package can be extended to provide necessary qualification evidence Reduces tool qualification effort (ISO 26262, section 8)
  • 22. MISRA standards © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED Coding standard, not functional safety like ISO 26262 Write safer software from the beginning using a restrictive subset of the language C library dynamic memory – surely the worst possible thing? How do we check for correct usage? Rule 20.4 (required) Dynamic heap memory allocation shall not be used Example from MISRA C 2004
  • 23. How can SCA tools help? Prove compliance to coding guidelines and coding rules Boost overall development productivity © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED • Nearly all functional safety standards recommend or require use of language subsets • SCA tools enforce such rules with feedback to developers and reports showing compliance or gaps • Detect security, reliability, maintainability issues as early in the development process as possible • No time wasted finding coding errors in texting • Allows focus on testing functionality, which is likely to generate better software
  • 25. The state of OSS • 76% of organizations lack meaningful controls over OSS selection and use • 80% of developers need not prove security of OSS they are using • 20% of the organizations claim to track vulnerabilities in OSS over time – 11 million developers worldwide make 13 billion open source requests each year. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED Increased use + few controls = unmanaged risk
  • 26. OSS standards team Step 1: Define policies Create policies based on needs assessment Adopt governance based on requirements Security, maintenance, support, and training Internal vs. commercially- distributed software Supply chain intake: - 3rd party software - Outsourced development Acquisition and approval strategies and workflows Ongoing audits and compliance documentation Industry or supply chain mandates OSS review board OSS compliance officer © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 27. Step 2: Know your inventory What’s in your codeline? Scan for OSS Identify embedded projects, files, or code snippets Adaptive, real-time updates Reveal licensing and copyright/copyleft information Internal policy compliance Analyze for risk OSS use Licensing and compliance permissive & copyleft OSS within other OSS and binaries External policy compliance © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 28. Step 3: Promote safe ongoing use Ongoing governance Support and maintenance Baseline and continuous delta scans Open source repository that reflects policy and compliance Proactive version and security update notifications Monitor for security risks and software updates Continuity regardless of internal changes or team realignment Downstream IT application use and management Who supports your OSS code? © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 29. Practice #5: Streamline with continuous integration
  • 30. The age of consumer demands “Assembling” vs. “code from scratch” is the new ethos Increased need for pipeline automation to simplify and streamline delivery Complexity and size increasing Security and compliance are immediate concerns Open source use increasing © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 30
  • 31. Automation is key to successful CI  Scanning to discover open Automate the discovery of security weaknesses, compliance violations, defects  Scanning to discover open Self-testing frees up developers time Run as part of Continuous Integration  Scanning to discover open Identify areas of bad code Prove safety and compliance Continuous Integration and Continuous DeliveryAutomate the build process Continuous Testing and static analysis Valuable feedback and visible results Automate testing Automate reporting © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
  • 32. Q&A
  • 33. See us in action: www.roguewave.com Rod Cope rod.cope@roguewave.com