Embracing a More Advanced Application Security Framework
January 11, 2022
By nature, automotive software is complex.
It encompasses a huge code base and spans critical onboard systems. For years, manufacturers have relied on MISRA C/C++ coding guidelines to aid in software development. The framework delivers practical benefits and security gains for the automotive industry—and beyond.
Many development teams creating automobile software use MISRA guidelines with application security tools, including Static Application Security Testing (SAST). This makes it possible to spot syntax and other coding errors en route to reducing the risk of security vulnerabilities and critical safety issues. The framework also aids in lowering development costs and speeding time-to-market.
Yet, using these guidelines and tools together at maximum effectiveness can prove challenging. The problem? Many application security (AppSec) tools require heavy manual intervention or oversight in order to fully understand how they impact various processes.
Cracking the Code
At the heart of the problem is a basic fact: enforcing the MISRA standard is difficult when it’s approached on a manual basis. Many basic AppSec tools handle only rule checking—thus providing some help but sidestepping the core issues related to application security. They don’t address crucial tasks such as error detection and security vulnerability analysis.
Unfortunately, following basic MISRA guidelines does not provide adequate protection. While it can eliminate some errors and improve code quality in C or C++, it doesn’t take aim at vast code libraries and increasingly complex development practices. Errors and defects remain an unfortunate and unavoidable side effect of writing code.
It’s a problem all auto manufacturers face. Research indicates that commercial software averages one defect per 1,000 lines of code (KLOC). While open source performs a bit better, it measures in at 0.68/KLOC, it nevertheless remains a serious concern. Consider: today’s luxury vehicle has somewhere around 100 million lines of code. Even in a best-case scenario, this represents approximately 10,000 potential defects impacting quality, safety, and security.
Of course, remediating problems and fixing things after the fact is costly and time consuming. It also puts a strain on consumers when vehicles are recalled to fix software defects. Unfortunately, the root cause of the problem usually remains unknown and it’s difficult to find the actual source of the vulnerability. This means that the developer must reproduce the failure, analyze it, and try to understand how it impacts other parts of the code base. In reality, it means that many bugs may never get fixed.
However, when organizations integrate AppSec, including SAST, into the development process in a deeper and broader way, it’s possible to take security to a more advanced level. No longer are organizations limited to a partial snapshot of the code base. It’s possible to drill into it, gain visibility, and test more exhaustively. With SAST, defects can be addressed and fixed earlier in the development process accelerating software releases and ensuring quality, safety, and security.
The good news is that advanced testing solutions support a more comprehensive application security framework. They can spot defects that slip through traditional development methods. This includes identifying critical issues such as:
- Concurrency defects that often occur randomly and are only visible after an organization integrates various systems and code repositories on the final hardware platform.
- Security vulnerabilities, a.k.a. software defects, that can be exploited by attackers so that they can interfere with a system’s behavior and gain access to critical data.
- Tainted data analysis that warns of potential vulnerabilities may not be well-formed. Because this data passes through numerous systems it’s often difficult to spot.
- Complex inter-procedural defects that are difficult to detect, especially with unit and subsystem testing.
- Error detection in compiled code that appears as object files, libraries, and executables. These can mask critical security issues.
While some MISRA rules are straightforward enough to rely only on a code-syntax checker, it’s a mistake to rely on that approach alone. A better approach is to extend analysis deeper and address the critical issues outlined above. This includes the ability to generate a software bill of materials (SBOM) that identifies the ingredient list of the software—including third-party and open source components.
An SBOM would also be accompanied by vulnerability reports of these identified components. This allows an organization to detect hidden issues that might impact the security and safety of the software. A more advanced framework can also detect difficult situations, such as when it’s necessary to look at multiple connection points, examine all compilation units and compare all such identifiers found in each. These often lead to false-positives and false-negatives.
Adding to the challenge: humans frequently misinterpret these situations—especially when relying on manual tools and reporting. In the end, an organization is left in the dark when trying to fully understand supersets and subsets of rules, identify security gaps and avoid dead code. On the other hand, a best practice framework can spot overlaps and gaps between what a rule specifies and what the checker finds.
This model ultimately delivers risk-reduction and time-savings by finding and fixing defects and vulnerabilities in early stages of development. It typically automates documentation and slashes costs. This added level of documentation, in turn, improves the governance framework and simplifies regulatory compliance. By integrating the solution into a safety-critical environment, automobile manufacturers, and others can achieve dramatic gains.
Today, enterprise-level development projects require sophisticated testing frameworks that support and enhance the full software development lifecycle—including integrating with other development automation tools. The ability to reach beyond MISRA rule enforcement and basic AppSec fuels enormous gains. It improves protection, lowers costs, and frees developers to focus on what they do best: build great software.
Mark Hermeling, senior director of product marketing for GrammaTech, has more than 20 years of experience in software development tooling, operating systems, virtualization, and networking technology in safe and secure, embedded and real-time systems. He has worked on projects building automotive, networking, aerospace and defense and industrial devices in North America, Europe and Asia. Mark also worked for Wind River Systems (an Intel Corporation subsidiary), Zeligsoft and IBM Rational.