Upload
rogue-wave-software
View
66
Download
1
Tags:
Embed Size (px)
Citation preview
Five ways to protect your software supply chain from hacks, quacks, & wrecks
Embedded World Exhibition & Conference
February 25, 2015
Rod Cope, CTO
Presenter
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED2
Rogue Wave Software
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED3
Challenging automotive software
How defects are introduced
Five strategies
Q&A
Agenda
Challenging automotive software
Automotive hacks are well documented
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED5
6
2014 marked the highest number of recalls ever, affecting over 60 million vehicles
The number of data breaches has climbed steadily in the past 10 years: 800 predicted in 2015
Real numbers
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED6
How defects are introduced
8
“What really amazes me is the sheernumber of lines of code of software running
on all these ECUs, especially if comparedto other products and computer software.
A modern high-end car features around100 million lines of code, and this number
is planned to grow to 200-300 millionsin the near future.”
- Andrea Busnelli
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED8
The software supply chain
Open source
Your product
Legacy
COTS Contractors
ISV
Integrate test
Cost to fix defects
$$$$
$
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED9
10
What happens when outsourcing goes wrong?
Software suppliers can introduce risks (security, functional, compliance) before they reach you
Different platforms, processes, tools,
standards, etc. require more effort to assess, test, and standardize
If hooks are left in the code, sensitive
data can be sent back to the supplier
The software supply chain
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED10
Toyota unintended acceleration –Electronic Throttle Control System (ETCS)
“…used a version of OSEK, whichis an automotive standard RTOS API.For some reason, though, the CPUvendor-supplied version was notcertified compliant”
The software supply chain – example
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED11
Our changing workplace
Agile, continuous integration, continuous delivery
Understanding processes
Educating teams
Implementing tools
Enforcing compliance
Measuring success
Adopting new standards
Systems integrators vs. systems builders
Multiple development teams
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED12
The Internet of Things (connected car)
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED13
So what does this mean?
– Cars with millions of lines of code,
dozens of processors
– Multiple systems interconnected
– Designed years ago without
security in mind
– New code, COTS, suppliers,
legacy, open source
– Different platforms, people,
and processes
– Vulnerabilities and bugs will
last for years
– Not an easy update/upgrade path
– Automation will be critical
– Certification is inevitable
More and more software running inside embedded systems
More and more software running inside your car
Multiple sources of software being integrated
Software that has to run formany years
This requires a very significant security, safety, & functional verification process
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED14
Strategy #1
Adopt proven, accepted standards
Not-so industry standard
Go beyond the standards you know already
OWASP Top 10 identifies common vulnerabilities from over 500,00 issues being researched today
CWE is a community-drive identification of weaknessesCWE-20: Improper Input Validation
Well-known, proven security standards
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED16
ISO 26262MISRA
(automotive)
Strategy #2
Promote software policies
Open source example
Open source fills a specific technical gap in your product or
development environment –delivered “as is” and rarely
created with security in mind
Most organizationsdon’t know where and how
OSS is being used
Using risky components is#9 on OWASP’s Top 10 list
Over 50% of enterpriseorganizations adopt and contribute to OSS today
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED18
Promote smart open source use
Use only trusted packages Notify and update security fixes
Reduce technical risk with OSS support
Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations
Look for scanning tools that are SaaS and protect your IP by not requiring source code upload
Know your inventory with OSS scanning
Get notified of latest patches, risks, and bugs
Establish an OSS policy to minimize risk
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED19
Strategy #3
Find security flaws earlier
How do hacks happen?
Data breaches are the result of one flawed assumption:
Most breaches result from input trust issues
SQL injectionUnvalidated
input
Heartbleed: buffer overrun
BMW patch: HTTP vs. HTTPS
Cross-site scripting
Incoming data is
well-formed
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED21
All of the supply chain needs to be secure, not just your code but the code of the packages included in your software
Follow a well-known security standard applicable to your domain
What can you do?
Need to “bake in” security
Educate the development team, provide security based training
Automate to find flaws as soon as possible!
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED22
Strategy #4
Deploy automatic, agile testing
Build into process
Automate the build process
Automate testing
Automate the discovery of security weaknesses, compliance violations, defects
Free up developer’s time
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED24
Analysis and testing
Static code analysis
Traditionally used to find simple, annoying bugs
Modern, state-of-the-art SCA
Sophisticated inter-procedural control and data-
flow analysis
Model-based simulation of runtime expectation
Provides an automated view of all possible
execution paths
Find complex bugs and runtime errors, such as
memory leaks, concurrency violations, buffer overflows
Check compliance with internationally recognized
standards:
MISRACWE
OWASPISO26262
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED25
Check code faster
• Issues identified at developer’s desktop
– Correct code before check-in
– All areas impacted by a given
defect are highlighted
– After system build, the impact of
other developers’ code is also
delivered to the desktop for
corrective action
• Create custom checkers to meet specific
needs
• Debugger-like call-stack highlights the
cause of the issues
• Context-sensitive help provides industry
best-practices and explanations
50% of defects
introduced here
Build Analysis /
Test
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED26
Analysis and testing
Strategy #5
Stay on top of things
Build into process
Automate the build process
Automate testing
Automate reporting
Automate the discovery of security weaknesses, compliance violations, defects
Free up developer’s time
Seeing trends helps identify areas of bad code
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED28
Monitor issues closely
Security Vulnerabilities
License Violation
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS
RESERVED29
Q&A