EuroAsiaSPI2 is also known as European & Asian System, Software & Service Process Improvement & Innovation. The EuroAsiaSPI² conference presents and discusses results from systems, software and services process improvement and innovation or SPI projects in industry and research, focusing on the gained benefits and the criteria for success. This year’s event is the 21st of a series of conferences to which international researchers and professionals contribute their lessons learned and share their knowledge as they work towards the next higher level of software management professionalism.
I’ll be speaking on Software Safety and Security through Standards
Software has moved from the desktop in just about everything we touch. From smart thermostats to infusion pumps to cars software is pervasive and growing. These so-called “things” from the Internet-of-Things are increasingly carrying more logic and with it a larger risk of failure. Many of these devices are using in safety critical areas such as medical and automotive where they have a particular potential for bodily harm.
Most companies that have been building devices rightly view current software development as an almost insane group of cowboys and chaos. But there is hope, software CAN and MUST be treated an engineering practice. Coding standards move us from the build, fail, fix cycle back into a design, build, deliver cycle with high quality, safety, and security.
As it turns out, these same standards also provide benefits in the areas of cybersecurity, doing double duty. We will explore how standards help us move from finding bugs to building more robust software, how to prevent problems in the first place by proper coding, and how to leverage the efforts of others by using common accepted industry standards such as MISRA to achieve this goal.
We all knows that automotive software is becoming increasingly complex. It’s gotten to the point that high-end cars not only have more code than jet fighter aircraft, but a LOT more code – in some cases as much as 100 million lines of code. Given that the automobile is a complex creation with lots of smart parts talking on multiple buses, trying to ensure that it’s bug-free is a frustrating and difficult task.
Anyone who knows me knows that I’m a huge proponent of software-development-as-engineering. This means that instead of simply chasing bugs and trying to test quality into a product, we change the way we build software and start by producing code that is less susceptible to bugs. Static analysis is the way to do this. For several years now a few vendors have been pushing the idea that static analysis is only for finding bugs, but it’s real power is in prevention. If you want your car to not have serious problems when it rolls out the door, static is your best friend.
Last week Adam Trujillo and I wrote an article in Embedded Computing Design detailing three simple static analysis rules to get you a jump-start into producing better automotive software. As it turns out there are a few MISRA rules that end up preventing a large number of very common and potentially dangerous problems such as buffer overflow.
It’s a short article but very practical. Give it a read and if you want to know more, be sure to let us know.
Last week with Alan Zeichick and I did a webinar for Parasoft on automotive cybersecurity. Now Alan thinks that cybersecurity is an odd term, especially as it applies to automotive and I mostly agree with him. But appsec is also pretty poorly fitted to automotive so maybe we should be calling it AutoSec. Feel free to chime-in using the comments below or on twitter.
I guess the point is that as cars get more complicated and get more “smart” parts and get more connected (The connected car) as part of the “internet of things”, you will start to see more and more automotive security breaches occurring. From taking over the car to stealing data to triggering airbags we’ve already had several high-profile incidents which you can see in my IoT Hall-of-Shame.
To help out we’ve put together a high-level overview of a 7-point plan to get you started. In the near future we’ll be diving into detail on each of these topics, including how standards can help you not only get quality but safety and security, the role of black-box, pen-test, and DAST as well as how to get ahead of the curve and harden your vehicle software using static code analysis (SAST) and hybrid testing (IAST).
The webinar was recorded for your convenience, so be sure and check it out. If you have automotive software topics that are near and dear to your heart, but sure to let me know in the comments or on Twitter or Facebook.