Automotive Archives - Code Curmudgeon

Keynote at EuroAsiaSPI2 2016 Conference

Posted on August 24, 2016 by Code Curmudgeon

If you’re going to be in Europe in September, I’ll be speaking at the EuroAsiaSPI2 2016 conference in Graz, Austria on September 15th. EuroAsiaSPI2...

Prevent Automotive Software Bugs with Static Analysis

Posted on February 4, 2016 by Code Curmudgeon

We all knows that automotive software is becoming increasingly complex. It’s gotten to the point that high-end cars not only have more code than...

AutoSec Automotive CyberSecurity

Posted on February 2, 2016 by Code Curmudgeon

Last week with Alan Zeichick and I did a webinar for Parasoft on automotive cybersecurity. Now Alan thinks that cybersecurity is an odd term,...

Definitioner

CAN (Controller Area Network): Controller Area Network aka CAN aka CAN Bus is a wiring standard for vehicles that enables communication between various components and devices without having a host computer. For example doors, brakes, transmission.
IAST: IAST is interactive application security testing. It's also been known variously as hybrid security testing, gray-box, and glass-box. This technique blends the inside-out approach of SAST with the outside-in approach of DAST to give you deep code-level visibility of a running application while it's in a real running state. This helps reduce false positives but still has the thoroughness limitations of black-box techniques in that it's only as good as the test suite being run in terms of coverage.
DAST: DAST tests an application for security vulnerabilities by monitoring and probing an application while it is actually running - thus the dynamic test. DAST starts from inputs and is a black-box or external view. This gives is a very realistic view of application behavior, but is difficult to be completely thorough. Penetration testing or pen-test is a common form of DAST.
SAST: SAST is security testing that is done on source, byte-code, or binaries but without actually executing them - thus the "static" testing. Typically this includes things like software metrics, static code analysis and even peer review. SAST provides a white-box or inside view to the application. It can both find possible vulnerabilities and weaknesses by looking for anti-patterns as well as enforcing secure software engineering standards by looking for proper patterns.
Internet of Things: common devices that have been internet enabled in order to remotely monitor and manage them, or collaborate with other devices, or provide extra functionality by accessing the internet. Like an internet enabled thermostat that you can control with your smartphone - see the Nest from Google.
static code analysis (4G): The 4th generation of cellular wireless standards - it's the successor the 3G. There is a vast difference between how carriers interpret and implement 4G at the current time, ranging from HSPA to WiMax to LTE, each has difference performance characteristics. The standard requires peak data rates from 100 Mbit/s for high mobility to 1Gbit/s for low mobility.
static code analysis (early-adopter): Someone who likes to have the latest and greatest things. They upgrade because something is newer, bigger, faster, has better numbers, etc. Sometimes they're right, but frequently the benefit of the new numbers is not measurable.
static code analysis (pattern-based analysis): A form of static analysis where patterns of either good or bad code are stored as rules and compared against a code base without executing the code, to find potential violations.
static code analysis (static analysis): Any form of software analysis that can be done on the code without actually executing the code. Encompasses techniques like pattern-based analysis, metrics, code review, etc.