Five ways to protect your software supply chain from hacks, quacks, and wrecks

Five ways to protect your software supply chain from hacks, quacks, & wrecks

Embedded World Exhibition & Conference

February 25, 2015

Rod Cope, CTO

Presenter

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS

RESERVED2

Rogue Wave Software


RESERVED3

Challenging automotive software

How defects are introduced

Five strategies

Q&A

Agenda

Challenging automotive software

Automotive hacks are well documented


RESERVED5

6

2014 marked the highest number of recalls ever, affecting over 60 million vehicles

The number of data breaches has climbed steadily in the past 10 years: 800 predicted in 2015

Real numbers


RESERVED6

How defects are introduced

8

“What really amazes me is the sheernumber of lines of code of software running

on all these ECUs, especially if comparedto other products and computer software.

A modern high-end car features around100 million lines of code, and this number

is planned to grow to 200-300 millionsin the near future.”

- Andrea Busnelli


RESERVED8

The software supply chain

Open source

Your product

Legacy

COTS Contractors

ISV

Integrate test

Cost to fix defects

$$$$

$


RESERVED9

10

What happens when outsourcing goes wrong?

Software suppliers can introduce risks (security, functional, compliance) before they reach you

Different platforms, processes, tools,

standards, etc. require more effort to assess, test, and standardize

If hooks are left in the code, sensitive

data can be sent back to the supplier

The software supply chain


RESERVED10

Toyota unintended acceleration –Electronic Throttle Control System (ETCS)

“…used a version of OSEK, whichis an automotive standard RTOS API.For some reason, though, the CPUvendor-supplied version was notcertified compliant”

The software supply chain – example


RESERVED11

http://en.wikipedia.org/wiki/OSEK

Our changing workplace

Agile, continuous integration, continuous delivery

Understanding processes

Educating teams

Implementing tools

Enforcing compliance

Measuring success

Adopting new standards

Systems integrators vs. systems builders

Multiple development teams


RESERVED12

The Internet of Things (connected car)


RESERVED13

So what does this mean?

– Cars with millions of lines of code,

dozens of processors

– Multiple systems interconnected

– Designed years ago without

security in mind

– New code, COTS, suppliers,

legacy, open source

– Different platforms, people,

and processes

– Vulnerabilities and bugs will

last for years

– Not an easy update/upgrade path

– Automation will be critical

– Certification is inevitable

More and more software running inside embedded systems

More and more software running inside your car

Multiple sources of software being integrated

Software that has to run formany years

This requires a very significant security, safety, & functional verification process


RESERVED14

Strategy #1

Adopt proven, accepted standards

Not-so industry standard

Go beyond the standards you know already

OWASP Top 10 identifies common vulnerabilities from over 500,00 issues being researched today

CWE is a community-drive identification of weaknessesCWE-20: Improper Input Validation

Well-known, proven security standards


RESERVED16

ISO 26262MISRA

(automotive)

Strategy #2

Promote software policies

Open source example

Open source fills a specific technical gap in your product or

development environment –delivered “as is” and rarely

created with security in mind

Most organizationsdon’t know where and how

OSS is being used

Using risky components is#9 on OWASP’s Top 10 list

Over 50% of enterpriseorganizations adopt and contribute to OSS today


RESERVED18

Promote smart open source use

Use only trusted packages Notify and update security fixes

Reduce technical risk with OSS support

Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations

Look for scanning tools that are SaaS and protect your IP by not requiring source code upload

Know your inventory with OSS scanning

Get notified of latest patches, risks, and bugs

Establish an OSS policy to minimize risk


RESERVED19

Strategy #3

Find security flaws earlier

How do hacks happen?

Data breaches are the result of one flawed assumption:

Most breaches result from input trust issues

SQL injectionUnvalidated

input

Heartbleed: buffer overrun

BMW patch: HTTP vs. HTTPS

Cross-site scripting

Incoming data is

well-formed


RESERVED21

All of the supply chain needs to be secure, not just your code but the code of the packages included in your software

Follow a well-known security standard applicable to your domain

What can you do?

Need to “bake in” security

Educate the development team, provide security based training

Automate to find flaws as soon as possible!


RESERVED22

Strategy #4

Deploy automatic, agile testing

Build into process

Automate the build process

Automate testing

Automate the discovery of security weaknesses, compliance violations, defects

Free up developer’s time


RESERVED24

Analysis and testing

Static code analysis

Traditionally used to find simple, annoying bugs

Modern, state-of-the-art SCA

Sophisticated inter-procedural control and data-

flow analysis

Model-based simulation of runtime expectation

Provides an automated view of all possible

execution paths

Find complex bugs and runtime errors, such as

memory leaks, concurrency violations, buffer overflows

Check compliance with internationally recognized

standards:

MISRACWE

OWASPISO26262


RESERVED25

Check code faster

• Issues identified at developer’s desktop

– Correct code before check-in

– All areas impacted by a given

defect are highlighted

– After system build, the impact of

other developers’ code is also

delivered to the desktop for

corrective action

• Create custom checkers to meet specific

needs

• Debugger-like call-stack highlights the

cause of the issues

• Context-sensitive help provides industry

best-practices and explanations

50% of defects

introduced here

Build Analysis /

Test


RESERVED26

Analysis and testing

Strategy #5

Stay on top of things

Build into process

Automate the build process

Automate testing

Automate reporting

Automate the discovery of security weaknesses, compliance violations, defects

Free up developer’s time

Seeing trends helps identify areas of bad code


RESERVED28

Monitor issues closely

Security Vulnerabilities

License Violation


RESERVED29

See us in action:

www.roguewave.com

Rod [email protected]

Five ways to protect your software supply chain from hacks, quacks, and wrecks

Software

Transcript of Five ways to protect your software supply chain from hacks, quacks, and wrecks