Todays cars are as much defined by the power of their software as the power of their engines. Almost any car feature you can name is now digitized to provide drivers with easier operation and better information. Technological innovation is accelerating, enabling automobiles to monitor and adjust their position on the highway, alerting drivers if theyre drifting out of their lane, even automatically slowing down when they get too close to another car. <\/p>\n
More and more vehicles are connected, equipped with Internet access, often combined with a wireless local area network to share that access with other devices inside as well as outside the vehicle. And whether were ready or not, well soon be sharing the roads with autonomous vehicles. <\/p>\n
Driving the technology revolution in the automotive industry is software, and that software is built on a core of open source. Open source use is pervasive across every industry vertical, including the automotive industry. When it comes to software, every auto manufacturer wants to spend less time on what are becoming commodities such as the core operating system and components connecting the various pieces together and focus on features that will differentiate their brand. The open source model supports that objective by expediting every aspect of agile product development. <\/p>\n
But just as lean manufacturing and ISO-9000 practices brought greater agility and quality to the automotive industry, visibility and control over open source will be essential to maintaining the security of automotive software applications. <\/p>\n
When you put new technology into cars, you ran run into security challenges. For example: <\/p>\n
Vehicle manufacturers need to adopt a cybersecurity approach that addresses not only obvious exposures in their cars software, but also the hidden vulnerabilities that could be introduced by open source components in that software. <\/p>\n
As auto OEMs work with software providers, a growing set of open source components is making its way into automobile systems. Open source code is being channeled through countless supply chains in almost every part of the automotive ecosystem. <\/p>\n
When a supplier or auto OEM is not aware all the open source in use in its products software, it cant defend against attacks targeting vulnerabilities in those open source components. Any organization leveraging connected car technology will need to examine the software eco-system it is using to deliver those features, and account for open source identification and management in its security program. <\/p>\n
To make progress in defending against open source security threats and compliance risks, both auto OEMS and their suppliers must adopt open source management practices that: <\/p>\n
FULLY INVENTORY OPEN SOURCE SOFTWARE: Organizations cannot defend against threats that they do not know exist. A full and accurate inventory (bill of materials) of the open source used in their applications is essential. <\/p>\n
MAP OPEN SOURCE TO KNOWN SECURITY VULNERABILITIES: Public sources, such as the National Vulnerability Database provide information on publicly disclosed vulnerabilities in open source software. Organizations need to reference these sources to identify which of the open source components they use are vulnerable. <\/p>\n
IDENTIFY LICENSE AND QUALITY RISKS: Failure to comply with open source licenses can put organizations at significant risk of litigation and compromise of IP. Likewise, use of out-of-date or poor quality components degrades the quality of applications that use them. These risks also need to be tracked and managed. <\/p>\n
ENFORCE OPEN SOURCE RISK POLICIES: Many organizations lack even basic documentation and enforcement of open source policies that would help them mitigate risks. Manual policy reviews are a minimum requirement, but as software development becomes more automated so too must management of open source policies. <\/p>\n
ALERT ON NEW SECURITY THREATS: With more than 3,500 new open source vulnerabilities discovered every year, the job of tracking and monitoring vulnerabilities does not end when applications leave development. Organizations need to continuously monitor for new threats as long as their applications remain in service. <\/p>\n
As open source use continues to increase in the auto industry, effective management of open source security and license compliance risk is becoming increasingly important. By integrating risk management processes and automated solutions into their software supply chain, automakers, suppliers, and technology companies servicing the automotive industry can maximize the benefits of open source while effectively managing their risks. <\/p>\n
<\/p>\n