Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/12/2018
02:30 PM
Rohit Sethi
Rohit Sethi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

'Shift Left' & the Connected Car

How improving application security in the automotive industry can shorten product development time, reduce costs, and save lives.

The public's sense of security was shattered when, in 2015, white hat hackers remotely attacked a Jeep vehicle through its computer system. The infiltration seemed harmless at first —  loud music blared and windshield fluid erupted uncontrollably. What first seemed nothing more than annoying turned more ominous as the engine was forcibly turned off on the highway with traffic coursing by at 70 mph.

While the attack was carried out merely to demonstrate the vulnerability, it cast a deep shadow across the entire automotive industry and raised serious questions about vehicle safety. As automobiles become more high-tech, more connected, and more reliant on applications for their everyday functions, how reliable and safe are they? What can automakers do to stem the growth of new application security risks in automobiles?

Technological Advancements Improve Safety and Present New Dangers
There's little doubt that technology has made cars safer, more comfortable, and more efficient. Today's motor vehicles, like the computers and mobile devices we use every day, are almost entirely reliant on software.

Consumer demand for safety and convenience has long pushed cars toward greater complexity and sophistication. In the past, this meant seatbelts and airbags; now, it means computerized and connected systems including navigation systems, entertainment centers, remote key fobs, and more. While the features on vehicles have kept pace with modern demands, many manufacturers haven't scrutinized the security of these new systems and the software they use.

This lack of security has raised red flags by consumer groups and the government. In 2016, the FBI went so far as to issue a PSA warning drivers that their cars can become the next target of a cybersecurity attack.

Safety First Means Security from the Start
The computer is the epicenter of the modern car responsible for function, comfort and entertainment. These systems require an extensive number of complex applications. For example, IEEE noted that premium vehicles perform their technical ballet around a staggering 100 million lines of code.

While vehicle systems may undergo testing after development, they are rarely designed with security in mind from the start. This is a problem, because some software vulnerabilities may not even be identified in the post-development stage. These vulnerabilities can be broad-ranging and expensive to address. (For example, many drivers connect their cellphones to the on-board computer, making them vulnerable to identity theft.)

Although manufacturers are concerned about driver safety and vehicle reliability, business demands require them to produce cars quickly, and this can mean overlooking application security. This might serve immediate goals and drive profits in the short term, but the long-term consequences of producing vulnerable automobiles will have damaging consequences to the car manufacturers, their supply chain partners, dealers, and customers.

The cost of a recall can be particularly damaging to a company's bottom line. Consider Chrysler, which had recall costs of over $660 million in 2016. Now, imagine how many exploitable vulnerabilities exist within those 100 million lines of code and the consequent number of recalls necessary to correct a laundry list of issues with an entire fleet of vehicles.

This is a problem for corporate image, too, as well as the entire industry of highly technical and (eventually) self-driving cars. No automotive company needs an incident like the Target data breach in 2013, which resulted in the stolen identities of millions of shoppers. These shoppers were among the legion of consumers who began to close their wallets to Target, which ended up costing the company more than $160 million in the year following the breach.

Although automotive companies might think of themselves as immune to headline-making breaches, their growing reliance on software exposes them to a multitude of threats. Unless they start building secure software now, it's just a matter of time before we see automakers fall victim to attacks resulting in data breaches or, even worse, safety issues.

Shifting Security Left
Addressing the complex application security problems facing vehicle manufacturers begins with a "security first" mentality. Software security must be designed into automotive applications from day one, and this means enforcing software development processes that identify and fix vulnerabilities during design and coding rather than testing and repairing vulnerabilities later. The standard practice at most organizations — automotive or otherwise—is to rely on code scanners like Static Analysis Security Testing and Dynamic Analysis Security Testing tools, but these only catch 46% of application-level risks. And 46% is not safe enough when there are people behind the wheel.

In the world of agile development, continuous delivery, and DevOps, the concept of "shift left" has emerged. "Shift left" is a mindset that considers security from the onset and is pervasive throughout the software development process. This is what it means to "build security in" from the start.

When software development teams start far left, organizations can embed the appropriate security considerations into the requirements phase. Starting with solid security requirements as early as possible allows organizations to make sound design decisions up front that will help eliminate technical debt and reduce the cost to maintain software.

To minimize application security risks, organizations should manage the entire software development life cycle to ensure that developers build in security requirements from the start, without wasting valuable time on vulnerability remediation or risking a recall later. Incorporating security into the software development processes to stop attacks and boost driver safety is a win-win situation for vehicle manufacturers and customers alike. It's time for the auto industry to change gears and shift left when it comes to software security.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

 

Rohit Sethi, COO of Security Compass, is responsible for setting and achieving corporate objectives, company alignment, and driving strategy to execution. He specializes in software security requirements management (SSRM), working with large companies in various industries to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ThomasMaloney
50%
50%
ThomasMaloney,
User Rank: Apprentice
11/30/2018 | 1:40:43 AM
Re: Remove it entirely from cars
It is never a straightforward process that we could take a shortcut in when it concerns product developments. We need to ensure that every single step is carefully considered in order to achieve only the best results. Perhaps it is time that we try a new mean to improve our operations in order to still produce the best but at a shorter turnaround to be efficient from every single perspective.
Patrick Ciavolella
50%
50%
Patrick Ciavolella,
User Rank: Author
7/23/2018 | 8:34:30 AM
Remove it entirely from cars
Vulnerabilities are there not because they were not thuroughly thought out at the beginning but because it was not known at the time. Good guys cant spend the same amunt of time trying to break into items like the bad guys do. If we did we would live in a perfect world where there were no vulnerabilities. We all know this can never be the case, where there is a will there is a way, be it good or bad.
Only real solution is remove this data from cars entirely. It is not essential, people are just becoming lazier and reliant upon them to focus on the task at hand, Driving.
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
6/13/2018 | 9:51:14 AM
Agile can't "Shift Left"Security has no "story points"
Security is something that simply cannot be addressed with Agile methodologies.  Security has no story points or other demo-able pieces that you can put at the end of a sprint, for example.  Security doesn't have the visibility needed for Agile's all-important feedback loop. Most importantly, security requires DESIGN.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.
CVE-2020-10989
PUBLISHED: 2020-07-13
An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter.