In the last decade, there have been 633 automotive cybersecurity incidents. Yet, this year at Black Hat, the automobile industry was able to breathe a momentary sigh of relief when a connected vehicle was presented as a hacking challenge, and no one succeeded. This stood in stark contrast to 2015 when researchers demonstrated the real danger of automotive cyber-attacks by hijacking a jeep remotely and taking over the entire system. Technology is even more deeply integrated into all aspects of a vehicle now, and an estimated 75% of vehicles shipped in 2020 having some connection to the internet, which underscores just how crucial automotive cybersecurity is for customer safety.
2021 Raises Automotive Software Standards
While the Black Hat demonstration underscores the progress of the industry in recent years, there is still a lot of work to do. Various regulatory standards organizations have helped in these efforts, requiring carmakers and manufacturers of automotive components to adhere to secure development processes. These requirements include testing and audits of the security of the software used in all connected vehicles built today.
ISO/SAE 21434 — Securing Connected Vehicles on the Road
The newest standard, ISO/SAE 21434 was officially released August 31, 2021. It addresses the cybersecurity of electrical and electronic (E/E) systems within road vehicles in a couple of ways:
- It requires engineers to include state-of-the-art technology in all E/E systems to protect against evolving cyberattack methods.
- It focuses on the cybersecurity risks in the design and development of car electronics, ensuring that Original Equipment Manufacturers (OEMs) and all participants in the supply chain implement structured processes that support “Security by Design.”
ISO/SAE 21434 represents a collaboration between two standards development entities — the . Standards introduced by the International Organizations for Standardization (ISO) and Society Automotive Engineers (SAE) International. The jointly published standard is an extension of the first automotive cybersecurity standard created, SAE J3061, which bakes cybersecurity into cyber-physical vehicle systems from conception through production, operation, service, and decommissioning. It includes provisions for identifying and assessing cybersecurity threats using static application security testing (SAST) and dynamic application security testing (DAST. SAE J3061 also includes additional guidelines for penetration testing as well as validation of assessments completed for effectiveness.
SAST, or white box testing, looks at the underlying framework and code of an application for vulnerabilities and coding errors, essentially testing from the inside out before an application is released. Access to source code is required.
DAST, or black box testing, seeks to identify vulnerabilities by testing running applications from the outside in, so source code is not required. Both are essential for thorough application security testing.
Advantages of SAST and DAST Testing
SAST is done in the early stages of software development, so any weaknesses that are found can be mitigated rather easily and before they pose a risk of exploitation. SAST tools help verify that the underlying code in an application is strong, providing a secure foundation. They also work quickly and can be automated to ensure compliance.
DAST testing allows for functional testing of existing code that is running. Unlike static testing, which reviews the code before it is compiled, DAST attacks the running code as a cybercriminal would — by using various techniques to identify weaknesses and exploit them. It does not require access to the source code.
Modern DAST Solutions
DAST testing in automotive is more complicated because vehicles have different interfaces than standard computers connected to the internet. This can require customization and specialized hardware to test.
Customizing DAST to understand existing protocols is often a very unique and challenging process. Fortunately, advanced DAST testing tools for the automotive industry
already have protocols pre-defined and configured, allowing testers to use them immediately rather than sinking large amounts of time into configuration or hiring expensive external experts to do the initial setup.
Legacy DAST tools take a scattershot approach to testing and either generate excessive random data testing edge cases or require pre-defining test cases from scratch to be effective. Modern DAST solutions can run sequential data testing to make it easier to record, pinpoint, and recreate exceptions. They can take incomplete protocol descriptions and generate fuzzing approaches within the specification to cover the entire protocol and not just specific defined cases.
Modern DAST tools come with existing pre-built modules that cover numerous protocols rather than designing test cases from scratch. In addition, DAST tools with intelligent fuzzers use prioritization algorithms to quickly target high probability vulnerabilities rather than generating large amounts of random data done by legacy tools. This allows for completely covering a protocol in testing using the combination of all tests.
Modern SAST Solutions
Legacy SAST solutions focused on identifying patterns that indicate potential vulnerabilities. This generated large numbers of false positives causing many developers to ignore results altogether. Otherwise, organizations had to spend significant amounts of time for developers to tune the tool so that results were more valid over time.
Modern SAST tools are more contextually aware with the ability to trace execution paths. This allows the tool to filter out code results that could be a vulnerability but are inaccessible to an attacker. These tools are also set to map to industry-standard regulations such as OWASP Top 10, SANS top 25, Common Weakness Enumeration (CWE), and CERT Secure Coding Guidelines. So when vulnerabilities are identified, they are relevant and actionable.
Application Security Test Monitoring
Test monitoring should detect and record when an exploit occurred, including the exact parameters that triggered the vulnerability. This data helps generate reports that allow programmers to debug the application using their chosen development environment effectively.
Robust reporting also allows independent auditors to assess testing effectiveness and how well it aligns with the standards. Insufficient reporting could make it difficult to show compliance with the new standards.
Automotive Cybersecurity is More than Compliance
Automotive Cybersecurity testing is not simply about meeting compliance objectives but improving the overall quality and safety of the product delivered to the end-user. With comprehensive DAST and SAST testing, organizations can show the due diligence required to meet compliance objectives while identifying flaws and vulnerabilities that could compromise the safety of vehicle operators. By baking testing into the development process early on, manufacturers and developers can proactively identify issues and remediate them before making it to the road.
Learn how BeSTORM can help your team perform comprehensive, dynamic security testing on any software or hardware – before hackers do. Discover code weaknesses and certify the security strength of any product without access to source code. Test any protocol or hardware with beSTORM, even those used in IoT, process control, automotive and aerospace.