My friend Kevin Greene is devoted to improving the state of software security in the United States and he’s passionate about it. Kevin now has a regular podcast at FedScoop on cybersecurity insights and perspectives and it’s well worth listening to.
We recently got together and chatted about the state of cybersecurity today. In particular we talked about the “Internet of Things” (IoT) and my IoT Hall-of-Shame as well as static analysis in general. Kevin was instrumental in getting the Software Assurance Marketplace (SWAMP) setup and funded and we talked about our participation there as well.
“Probably if we did a really great job [with software security], the rest of cybersecurity would be a whole lot easier.”
We all knows that automotive software is becoming increasingly complex. It’s gotten to the point that high-end cars not only have more code than jet fighter aircraft, but a LOT more code – in some cases as much as 100 million lines of code. Given that the automobile is a complex creation with lots of smart parts talking on multiple buses, trying to ensure that it’s bug-free is a frustrating and difficult task.
Anyone who knows me knows that I’m a huge proponent of software-development-as-engineering. This means that instead of simply chasing bugs and trying to test quality into a product, we change the way we build software and start by producing code that is less susceptible to bugs. Static analysis is the way to do this. For several years now a few vendors have been pushing the idea that static analysis is only for finding bugs, but it’s real power is in prevention. If you want your car to not have serious problems when it rolls out the door, static is your best friend.
Last week Adam Trujillo and I wrote an article in Embedded Computing Design detailing three simple static analysis rules to get you a jump-start into producing better automotive software. As it turns out there are a few MISRA rules that end up preventing a large number of very common and potentially dangerous problems such as buffer overflow.
It’s a short article but very practical. Give it a read and if you want to know more, be sure to let us know.
Last week with Alan Zeichick and I did a webinar for Parasoft on automotive cybersecurity. Now Alan thinks that cybersecurity is an odd term, especially as it applies to automotive and I mostly agree with him. But appsec is also pretty poorly fitted to automotive so maybe we should be calling it AutoSec. Feel free to chime-in using the comments below or on twitter.
I guess the point is that as cars get more complicated and get more “smart” parts and get more connected (The connected car) as part of the “internet of things”, you will start to see more and more automotive security breaches occurring. From taking over the car to stealing data to triggering airbags we’ve already had several high-profile incidents which you can see in my IoT Hall-of-Shame.
To help out we’ve put together a high-level overview of a 7-point plan to get you started. In the near future we’ll be diving into detail on each of these topics, including how standards can help you not only get quality but safety and security, the role of black-box, pen-test, and DAST as well as how to get ahead of the curve and harden your vehicle software using static code analysis (SAST) and hybrid testing (IAST).
The webinar was recorded for your convenience, so be sure and check it out. If you have automotive software topics that are near and dear to your heart, but sure to let me know in the comments or on Twitter or Facebook.
It’s a retro style game in which you simultaneously control three independent characters as they travel through time to save their kidnapped friend. Gunman, Shieldman, and Swordman must cooperate with unique abilities to traverse dangerous puzzles and fight monstrous baddies.
Please take a look and upvote him so he can release his game on Steam! This is a one-man project which he has invested a TON of his energy and creativity into, from art to design to music to programming. Especially, if you know anyone you’ve ever heard complain that games these days are too easy, please point them at this! It’s got a great retro feel with crazy complex gameplay!
Alternate game modes that help explore the concept of controlling 3 with 1.
Nine distinct time periods that can be tackled in any order.
Unique game play and design.
Xbox360 and XboxOne controller support (highly recommended!)
21 homemade audio tracks.
Retro pixel art.
Powered by Unity.
Art, music, programming, and design all done by one person.