Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/12/2018
02:30 PM
Rohit Sethi
Rohit Sethi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

'Shift Left' & the Connected Car

How improving application security in the automotive industry can shorten product development time, reduce costs, and save lives.

The public's sense of security was shattered when, in 2015, white hat hackers remotely attacked a Jeep vehicle through its computer system. The infiltration seemed harmless at first —  loud music blared and windshield fluid erupted uncontrollably. What first seemed nothing more than annoying turned more ominous as the engine was forcibly turned off on the highway with traffic coursing by at 70 mph.

While the attack was carried out merely to demonstrate the vulnerability, it cast a deep shadow across the entire automotive industry and raised serious questions about vehicle safety. As automobiles become more high-tech, more connected, and more reliant on applications for their everyday functions, how reliable and safe are they? What can automakers do to stem the growth of new application security risks in automobiles?

Technological Advancements Improve Safety and Present New Dangers
There's little doubt that technology has made cars safer, more comfortable, and more efficient. Today's motor vehicles, like the computers and mobile devices we use every day, are almost entirely reliant on software.

Consumer demand for safety and convenience has long pushed cars toward greater complexity and sophistication. In the past, this meant seatbelts and airbags; now, it means computerized and connected systems including navigation systems, entertainment centers, remote key fobs, and more. While the features on vehicles have kept pace with modern demands, many manufacturers haven't scrutinized the security of these new systems and the software they use.

This lack of security has raised red flags by consumer groups and the government. In 2016, the FBI went so far as to issue a PSA warning drivers that their cars can become the next target of a cybersecurity attack.

Safety First Means Security from the Start
The computer is the epicenter of the modern car responsible for function, comfort and entertainment. These systems require an extensive number of complex applications. For example, IEEE noted that premium vehicles perform their technical ballet around a staggering 100 million lines of code.

While vehicle systems may undergo testing after development, they are rarely designed with security in mind from the start. This is a problem, because some software vulnerabilities may not even be identified in the post-development stage. These vulnerabilities can be broad-ranging and expensive to address. (For example, many drivers connect their cellphones to the on-board computer, making them vulnerable to identity theft.)

Although manufacturers are concerned about driver safety and vehicle reliability, business demands require them to produce cars quickly, and this can mean overlooking application security. This might serve immediate goals and drive profits in the short term, but the long-term consequences of producing vulnerable automobiles will have damaging consequences to the car manufacturers, their supply chain partners, dealers, and customers.

The cost of a recall can be particularly damaging to a company's bottom line. Consider Chrysler, which had recall costs of over $660 million in 2016. Now, imagine how many exploitable vulnerabilities exist within those 100 million lines of code and the consequent number of recalls necessary to correct a laundry list of issues with an entire fleet of vehicles.

This is a problem for corporate image, too, as well as the entire industry of highly technical and (eventually) self-driving cars. No automotive company needs an incident like the Target data breach in 2013, which resulted in the stolen identities of millions of shoppers. These shoppers were among the legion of consumers who began to close their wallets to Target, which ended up costing the company more than $160 million in the year following the breach.

Although automotive companies might think of themselves as immune to headline-making breaches, their growing reliance on software exposes them to a multitude of threats. Unless they start building secure software now, it's just a matter of time before we see automakers fall victim to attacks resulting in data breaches or, even worse, safety issues.

Shifting Security Left
Addressing the complex application security problems facing vehicle manufacturers begins with a "security first" mentality. Software security must be designed into automotive applications from day one, and this means enforcing software development processes that identify and fix vulnerabilities during design and coding rather than testing and repairing vulnerabilities later. The standard practice at most organizations — automotive or otherwise—is to rely on code scanners like Static Analysis Security Testing and Dynamic Analysis Security Testing tools, but these only catch 46% of application-level risks. And 46% is not safe enough when there are people behind the wheel.

In the world of agile development, continuous delivery, and DevOps, the concept of "shift left" has emerged. "Shift left" is a mindset that considers security from the onset and is pervasive throughout the software development process. This is what it means to "build security in" from the start.

When software development teams start far left, organizations can embed the appropriate security considerations into the requirements phase. Starting with solid security requirements as early as possible allows organizations to make sound design decisions up front that will help eliminate technical debt and reduce the cost to maintain software.

To minimize application security risks, organizations should manage the entire software development life cycle to ensure that developers build in security requirements from the start, without wasting valuable time on vulnerability remediation or risking a recall later. Incorporating security into the software development processes to stop attacks and boost driver safety is a win-win situation for vehicle manufacturers and customers alike. It's time for the auto industry to change gears and shift left when it comes to software security.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

 

Rohit Sethi, COO of Security Compass, is responsible for setting and achieving corporate objectives, company alignment, and driving strategy to execution. He specializes in software security requirements management (SSRM), working with large companies in various industries to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ThomasMaloney
50%
50%
ThomasMaloney,
User Rank: Apprentice
11/30/2018 | 1:40:43 AM
Re: Remove it entirely from cars
It is never a straightforward process that we could take a shortcut in when it concerns product developments. We need to ensure that every single step is carefully considered in order to achieve only the best results. Perhaps it is time that we try a new mean to improve our operations in order to still produce the best but at a shorter turnaround to be efficient from every single perspective.
Patrick Ciavolella
50%
50%
Patrick Ciavolella,
User Rank: Author
7/23/2018 | 8:34:30 AM
Remove it entirely from cars
Vulnerabilities are there not because they were not thuroughly thought out at the beginning but because it was not known at the time. Good guys cant spend the same amunt of time trying to break into items like the bad guys do. If we did we would live in a perfect world where there were no vulnerabilities. We all know this can never be the case, where there is a will there is a way, be it good or bad.
Only real solution is remove this data from cars entirely. It is not essential, people are just becoming lazier and reliant upon them to focus on the task at hand, Driving.
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
6/13/2018 | 9:51:14 AM
Agile can't "Shift Left"Security has no "story points"
Security is something that simply cannot be addressed with Agile methodologies.  Security has no story points or other demo-able pieces that you can put at the end of a sprint, for example.  Security doesn't have the visibility needed for Agile's all-important feedback loop. Most importantly, security requires DESIGN.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...