Cyber Security Overview

Jeff HildrethSr. Account Executive Automotive & Aerospace/Defense Jeff.Hildreth@roguewave.com

2

Agenda• Why is this a reality in Automotive• How to mitigate risk • Augment existing processes to demonstrate security

compliance

Cybersecurity. Why do I care?

Cyber Supply Chain Management and Transparency Act of 2014

6

Requirements Analysis

System Design

System Test

Component Design

Component Implementation

Component Test

System Integration

Item Definition

Hazard and Risk Analysis

System Safety

Concept

System and Component

Design

Qualitative Safety

Analyses

Quantitative System

Analyses

Safety Case

Verification and

Validation

SECURITY?

ISO 26262

AcceptSprint 1

Sprint 2

Sprint n Release

ChangeAdjust and Track

FeedbackReview

Next Iteration

No!

Yes!

Release to Market

Integrate and Test

Integrate and TestIntegrate

and Test

Agile Development – Integrated Security

Characteristics• Multiple testing

points• Rapid feedback

required• “Outside” testing

does not meet agile needs

Application code3rd party components

Ensure the open source code provider has a strong security plan

APIs and Web ServicesPrevent buffer overflows and ensure your code is safe before adding it to your code

Test your code

Look for flaws early

Make security a priority

9© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Common attacksOrganizations have failed to prevent attacks

Lack of time Lack of focusLack of

tools/proper tools

Survey:1700 developers,

80% of them incorrectly answered

key questions surrounding the

protection of sensitive data

SQL injection Unvalidated input

Cross-site scripting

Most breaches result from input trust issues

Heartbleed: buffer overrun

BMW patch: HTTP vs. HTTPS

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Security is hard but it’s important

10

Agile, continuous integration, continuous delivery

Understanding processes

Educating teams

Implementing tools

Enforcing compliance

Measuring success

Adopting new standards

Systems integrators vs. systems builders

Multiple development teams

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Who owns security?

11

Security is everyone’s responsibility

Developers Focused on making code

functional Meeting deadlines Developing code faster Security is an

afterthought

IT Cleaning up the aftermath

of breaches Preventing system hacks Creating a safe structure Security is a priority

Developers Focused on making code

functional Meeting deadlines Developing code faster Security is an afterthought

IT Cleaning up the aftermath

of breaches Preventing system hacks Creating a safe structure Security is a priority

Tools Automate detection of

vulnerabilities Fit into existing

processes Aggregate reports to

see trends

12© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Understanding vulnerabilities

KlocworkOn-the-fly scanning

OpenLogicSecure open source

“On-the-fly” Analysis Build Analysis / Test

Organizations need automation and scanning support

Open Source and CVEThe Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's system as well as the US National Vulnerability Database.

Audit your code Review CVE Monitor &

Remediate

Defect reduction efforts

OWASP, MISRA, ISO 26262

See where and how the defects are being reduced

Chart defects and establish a baseline in order to focus on priorities

Compliance of standards

Continuous reporting & trending

Agile development team: baseline scanning, triage the critical issues first

15

QUESTIONSdave.mclouglin@roguewave.com