Software security is making headlines today, whether it's alarming data breaches, frustrating service downtimes, or expensive product recalls. It's more important than ever for organizations to know where their embedded software is coming from and how it's being developed - protecting against security hacks, quality quacks, and safety wrecks. Understanding how these failures occur and identifying steps to minimize them across the supply chain is key to protecting you and your organization from costly fixes and lost satisfaction. This paper will explain how defects are introduced into code bases and how you can combat them by discussing common security threats and standards, code safety considerations (such as ISO 26262), and how continuous automated testing can enforce risk mitigation strategies across the entire supply chain.

1. Five ways to protect
your software supply
chain from hacks,
quacks, & wrecks
Embedded World Exhibition & Conference
February 25, 2015

2. Rod Cope, CTO
Presenter
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
2
Rogue Wave Software

3. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
3
Challenging automotive software
How defects are introduced
Five strategies
Q&A
Agenda

4. Challenging automotive software

5. Automotive hacks are well documented
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
5

6. 6
2014 marked the highest number of recalls ever,
affecting over 60 million vehicles
The number of data breaches has climbed steadily
in the past 10 years: 800 predicted in 2015
Real numbers
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
6

7. How defects are introduced

8. 8
“What really amazes me is the sheer
number of lines of code of software running
on all these ECUs, especially if compared
to other products and computer software.
A modern high-end car features around
100 million lines of code, and this number
is planned to grow to 200-300 millions
in the near future.”
- Andrea Busnelli
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
8

9. The software supply chain
Open
source
Your product
Legacy
COTS Contractors
ISV
Integrate test
Cost to fix
defects
$$$$
$
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
9

10. 10
What happens when outsourcing goes wrong?
Software suppliers can
introduce risks (security,
functional, compliance)
before they reach you
Different platforms,
processes, tools,
standards, etc. require
more effort to assess,
test, and standardize
If hooks are left in
the code, sensitive
data can be sent back
to the supplier
The software supply chain
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
10

11. Toyota unintended acceleration –
Electronic Throttle Control System
(ETCS)
“…used a version of OSEK, which
is an automotive standard RTOS API.
For some reason, though, the CPU
vendor-supplied version was not
certified compliant”
The software supply chain – example
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
11

12. Our changing workplace
Agile, continuous integration,
continuous delivery
Understanding processes
Educating teams
Implementing tools
Enforcing compliance
Measuring success
Adopting new standards
Systems integrators vs.
systems builders
Multiple development teams
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
12

13. The Internet of Things (connected car)
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
13

14. So what does this mean?
– Cars with millions of lines of code,
dozens of processors
– Multiple systems interconnected
– Designed years ago without
security in mind
– New code, COTS, suppliers,
legacy, open source
– Different platforms, people,
and processes
– Vulnerabilities and bugs will
last for years
– Not an easy update/upgrade path
– Automation will be critical
– Certification is inevitable
More and more software running
inside embedded systems
More and more software running inside
your car
Multiple sources of software
being integrated
Software that has to run for
many years
This requires a very significant security,
safety, & functional verification process
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
14

15. Strategy #1
Adopt proven, accepted standards

16. Not-so industry standard
Go beyond the standards you know already
OWASP Top 10 identifies common vulnerabilities from
over 500,00 issues being researched today
CWE is a community-drive identification of weaknesses
CWE-20: Improper Input Validation
Well-known, proven security standards
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
16
ISO 26262
MISRA
(automotive)

17. Strategy #2
Promote software policies

18. Open source example
Open source fills a specific
technical gap in your product or
development environment –
delivered “as is” and rarely
created with security in mind
Most organizations
don’t know where and how
OSS is being used
Using risky components is
#9 on OWASP’s Top 10 list
Over 50% of enterprise
organizations adopt and
contribute to OSS today
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
18

19. Promote smart open source use
 Use only trusted packages
 Notify and update security fixes
Reduce technical risk with OSS support
 Automated, repeatable way to locate OSS packages
(and packages within packages!) and licensing obligations
 Look for scanning tools that are SaaS and protect your
IP by not requiring source code upload
Know your inventory with OSS scanning
 Get notified of latest patches, risks, and bugs
Establish an OSS policy to minimize risk
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
19

20. Strategy #3
Find security flaws earlier

21. How do hacks happen?
Data breaches are the result of one flawed assumption:
Most breaches result from input trust issues
SQL injection
Unvalidated
input
Heartbleed:
buffer overrun
BMW patch:
HTTP vs. HTTPS
Cross-site
scripting
Incoming
data is
well-formed
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
21

22. All of the supply chain needs to be secure, not just your code but the
code of the packages included in your software
Follow a well-known security standard applicable to your domain
What can you do?
Need to “bake in” security
Educate the development team, provide security based training
Automate to find flaws as soon as possible!
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
22

23. Strategy #4
Deploy automatic, agile testing

24. Build into process
Automate
the build
process
Automate
testing
Automate the discovery of security
weaknesses, compliance violations, defects
Free up developer’s time
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
24

25. Analysis and testing
Static code analysis
Traditionally used to find simple, annoying bugs
Modern, state-of-the-art SCA
Sophisticated inter-
procedural control and data-
flow analysis
Model-based simulation of
runtime expectation
Provides an automated
view of all possible
execution paths
Find complex bugs and
runtime errors, such as
memory leaks, concurrency
violations, buffer overflows
Check compliance with
internationally recognized
standards:
MISRA
CWE
OWASP
ISO26262
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
25

26. Check code faster
• Issues identified at developer’s desktop
– Correct code before check-in
– All areas impacted by a given
defect are highlighted
– After system build, the impact of
other developers’ code is also
delivered to the desktop for
corrective action
• Create custom checkers to meet specific
needs
• Debugger-like call-stack highlights the
cause of the issues
• Context-sensitive help provides industry
best-practices and explanations
50% of
defects
introduced
here
Build
Analysis /
Test
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
26
Analysis and testing

27. Strategy #5
Stay on top of things

28. Build into process
Automate
the build
process
Automate
testing
Automate
reporting
Automate the discovery of security
weaknesses, compliance violations, defects
Free up developer’s time
Seeing trends helps identify
areas of bad code
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
28

29. Monitor issues closely
Security
Vulnerabilities
License Violation
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED
29

30. Q&A

31. See us in action:
www.roguewave.com
Rod Cope
rod.cope@roguewave.com