Tools, Partnerships Provide Security for Software

February 11, 2014

Terry Costlow

Klocwork’s tools check for security issues as software is being written.

Security is becoming a major factor for automakers, driven by several of the dominant industry trends. Connectivity and increasing volumes of software are among the factors prompting many design teams to partner with security specialists.

In recent months, suppliers and automakers announced joint programs. Renault is partnering with AVG Technologies and Visteon is working closely with Secunet, for example. The most recent came early this year when Klocwork became part of the QNX Automotive Safety Program for ISO 26262. Klocwork, recently acquired by Rogue Wave Software, makes a source code analysis tool that alerts developers to potential security vulnerabilities or reliability issues.

“The program looks for anomalies and other issues without running the software,” said Steven Howard, Software Quality Consultant at Klocwork. “It looks through the parts of code that have potential issues like boundary overruns and memory leaks. These checks can occur while code is being written, sort of like a spell-check program.”

The auto industry didn’t have many concerns until recent trends highlighted potential vulnerabilities. Infotainment systems can be a primary avenue for malware since radio head units connect with smart phones and telematics systems. If hackers find a breach anywhere, they can potentially assault any of the millions of lines of code in a vehicle. Design teams creating this software have largely acknowledged the need to address security issues.

“When vehicles get to the point of having millions of lines of code that includes packages from open source libraries and has a mix and match of software from different suppliers, automakers have to check it out thoroughly,” said Philip O’Hara, Klocwork’s Director for Europe, Middle East and Africa. “Three years ago, most of them were content to implement the MISRA standard, but in the last two years there’s been a complete change in this environment.”

The negative publicity Target stores received after the retailer’s security was breached highlight the potential fallout from leaving vulnerabilities in code. Howard noted that design teams need to test individual programs and assess the interactions between multiple programs.

“Developers want to make sure the code is secure so hackers won’t make the company fall over,” he said. “This software tells programmers where problems are in the code. It also looks at the overall system.”

Klocwork is among the many companies that provide software tools that let developers check their work throughout the design process, beginning in the early stages of development. These virtual tests help find errors early in the process, helping to make physical prototypes a place to prove simulation results instead of a place to detect bugs.

“Traditionally, the only way to test code is to run it,” Howard said. “The longer you wait to find problems, the more it costs to fix them.”