Building Secure Cars - Assuring the Automotive Software Development Lifecycle

Read more

BUILDING SECURE CARS
 
Explores how the automotive industry can address the increased risks of cyberattacks and incorporate security into the software development lifecycle
 
While increased connectivity and advanced software-based automotive systems provide tremendous benefits and improved user experiences, they also make the modern vehicle highly susceptible to cybersecurity attacks. In response, the automotive industry is investing heavily in establishing cybersecurity engineering processes.
 
Written by a seasoned automotive security expert with abundant international industry expertise, Building Secure Cars: Assuring the Automotive Software Development Lifecycle introduces readers to various types of cybersecurity activities, measures, and solutions that can be applied at each stage in the typical automotive development process.
 
This book aims to assist auto industry insiders build more secure cars by incorporating key security measures into their software development lifecycle. Readers will learn to better understand common problems and pitfalls in the development process that lead to security vulnerabilities. To overcome such challenges, this book details how to apply and optimize various automated solutions, which allow software development and test teams to identify and fix vulnerabilities in their products quickly and efficiently. This book balances technical solutions with automotive technologies, making implementation practical. Building Secure Cars is:
* One of the first books to explain how the automotive industry can address the increased risks of cyberattacks, and how to incorporate security into the software development lifecycle
* An optimal resource to help improve software security with relevant organizational workflows and technical solutions
* A complete guide that covers introductory information to more advanced and practical topics
* Written by an established professional working at the heart of the automotive industry
* Fully illustrated with tables and visuals, plus real-life problems and suggested solutions to enhance the learning experience
 
This book is written for software development process owners, security policy owners, software developers and engineers, and cybersecurity teams in the automotive industry. All readers will be empowered to improve their organizations' security postures by understanding and applying the practical technologies and solutions inside.

List of contents

Preface xi
 
About the Author xiii
 
1 Overview of the Current State of Cybersecurity in the Automotive Industry 1
 
1.1 Cybersecurity Standards, Guidelines, and Activities 3
 
1.2 Process Changes, Organizational Changes, and New Solutions 6
 
1.3 Results from a Survey on Cybersecurity Practices in the Automotive Industry 8
 
1.3.1 Survey Methods 8
 
1.3.2 Report Results 9
 
1.3.2.1 Organizational Challenges 9
 
1.3.2.2 Technical Challenges 10
 
1.3.2.3 Product Development and Security Testing Challenges 11
 
1.3.2.4 Supply Chain and Third-Party Components Challenges 11
 
1.3.3 How to Address the Challenges 12
 
1.3.3.1 Organizational Takeaways 12
 
1.3.3.2 Technical Takeaways 13
 
1.3.3.3 Product Development and Security Testing Takeaways 13
 
1.3.3.4 Supply Chain and Third-Party Components Takeaways 13
 
1.3.3.5 Getting Started 14
 
1.3.3.6 Practical Examples of Organizations Who Have Started 15
 
1.4 Examples of Vulnerabilities in the Automotive Industry 16
 
1.5 Chapter Summary 18
 
References 19
 
2 Introduction to Security in the Automotive Software Development Lifecycle 23
 
2.1 V-Model Software Development Process 24
 
2.2 Challenges in Automotive Software Development 25
 
2.3 Security Solutions at each Step in the V-Model 26
 
2.3.1 Cybersecurity Requirements Review 27
 
2.3.2 Security Design Review 27
 
2.3.3 Threat Analysis and Risk Assessment 27
 
2.3.4 Source Code Review 28
 
2.3.5 Static Code Analysis 28
 
2.3.6 Software Composition Analysis 29
 
2.3.7 Security Functional Testing 29
 
2.3.8 Vulnerability Scanning 29
 
2.3.9 Fuzz Testing 30
 
2.3.10 Penetration Testing 30
 
2.3.11 Incident Response and Updates 31
 
2.3.12 Continuous Cybersecurity Activities 32
 
2.3.13 Overall Cybersecurity Management 32
 
2.4 New Technical Challenges 32
 
2.5 Chapter Summary 34
 
References 35
 
3 Automotive-Grade Secure Hardware 37
 
3.1 Need for Automotive Secure Hardware 39
 
3.2 Different Types of HSMs 41
 
3.3 Root of Trust: Security Features Provided by Automotive HSM 43
 
3.3.1 Secure Boot 44
 
3.3.2 Secure In-Vehicle Communication 45
 
3.3.3 Secure Host Flashing 46
 
3.3.4 Secure Debug Access 47
 
3.3.5 Secure Logging 47
 
3.4 Chapter Summary 48
 
References 48
 
4 Need for Automated Security Solutions in the Automotive Software Development Lifecycle 51
 
4.1 Main Challenges in the Automotive Industry 53
 
4.2 Automated Security Solutions During the Product Development Phases 55
 
4.2.1 Static Code Analysis 55
 
4.2.2 Software Composition Analysis 57
 
4.2.3 Security Testing 58
 
4.2.4 Automation and Traceability During Software Development 59
 
4.3 Solutions During Operations and Maintenance Phases 59
 
4.3.1 Cybersecurity Monitoring, Vulnerability Management, Incident Response, and OTA Updates 59
 
4.4 Chapter Summary 61
 
References 61
 
5 Static Code Analysis for Automotive Software 63
 
5.1 Introduction to MISRA and AUTOSAR Coding Guidelines 68
 
5.2 Problem Statement: MISRA and AUTOSAR Challenges 75
 
5.3 Solution: Workflow for Code Segmentation, Guideline Policies, and Deviation Management 79
 
5.3.1 Step 1: Segment the Codebase into Different Categories/Components Based on Risk 80
 
5.3.2 Step 2: Specify Guideline Policies (Set of Guidelines to Apply) Depending on Risk

About the author

Dr. Dennis Kengo Oka is an automotive cybersecurity expert with more than 15 years of global experience in the automotive industry. He received his Ph.D. in Computer Science and Engineering, with a focus on automotive security, from Chalmers University of Technology in Sweden. In the past, Dennis has worked with Volvo Car Corporation in Sweden where he bootstrapped automotive security research for remote diagnostics and over-the-air updates on vehicles. He has also worked for the Bosch Group in Japan serving both Japanese and global customers. Specifically, Dennis co-launched the automotive security practice (ESCRYPT) in Japan and was the Head of Engineering and Consulting Asia-Pacific. Dennis has also been involved in several automotive standardization activities, including the development of fuzz testing guidelines and cybersecurity testing frameworks. He has over 60 publications consisting of conference papers, journal articles, and book chapters, and is a frequent public speaker at international automotive and cybersecurity conferences and events.

Summary

BUILDING SECURE CARS

Explores how the automotive industry can address the increased risks of cyberattacks and incorporate security into the software development lifecycle

While increased connectivity and advanced software-based automotive systems provide tremendous benefits and improved user experiences, they also make the modern vehicle highly susceptible to cybersecurity attacks. In response, the automotive industry is investing heavily in establishing cybersecurity engineering processes.

Written by a seasoned automotive security expert with abundant international industry expertise, Building Secure Cars: Assuring the Automotive Software Development Lifecycle introduces readers to various types of cybersecurity activities, measures, and solutions that can be applied at each stage in the typical automotive development process.

This book aims to assist auto industry insiders build more secure cars by incorporating key security measures into their software development lifecycle. Readers will learn to better understand common problems and pitfalls in the development process that lead to security vulnerabilities. To overcome such challenges, this book details how to apply and optimize various automated solutions, which allow software development and test teams to identify and fix vulnerabilities in their products quickly and efficiently. This book balances technical solutions with automotive technologies, making implementation practical. Building Secure Cars is:
* One of the first books to explain how the automotive industry can address the increased risks of cyberattacks, and how to incorporate security into the software development lifecycle
* An optimal resource to help improve software security with relevant organizational workflows and technical solutions
* A complete guide that covers introductory information to more advanced and practical topics
* Written by an established professional working at the heart of the automotive industry
* Fully illustrated with tables and visuals, plus real-life problems and suggested solutions to enhance the learning experience

This book is written for software development process owners, security policy owners, software developers and engineers, and cybersecurity teams in the automotive industry. All readers will be empowered to improve their organizations' security postures by understanding and applying the practical technologies and solutions inside.