More than SBOMs: Comprehensive Software Security for Connected Vehicles

As the automotive industry shifts gears towards connected, autonomous, shared, and electric (CASE) vehicles, robust cybersecurity programs are becoming increasingly essential navigators on this transformative journey.

The software bill of materials (SBOM) has emerged as a critical component of this emerging landscape. SBOMs deliver continuous visibility into the composition of the software that powers connected devices in today's automobiles. 

With SBOMs, product security teams can more easily identify vulnerabilities, manage updates, and ensure compliance with licensing.   

SBOMs: Not a Panacea

Though critical to any connected device security program, SBOMs represent just one aspect of software security. But, what are the limitations of SBOMs? And how can they be overcome? 

The Role of SBOMs in CASE Software Security

SBOMs, along with surrounding ecosystem tools such as vulnerability reporting through VEX, help users identify vulnerabilities in third-party components included in the products they make or use when manufacturing today's connected autos.

SBOMs play a vital role in managing vulnerabilities that stem from auto industry software supply chains, particularly those originating from open-source components.

What Don't SBOMs Do? 

Even with everything that SBOMs do and enable, SBOMs have limitations. Primarily, SBOMs address known vulnerabilities, but they can't prevent attacks like SolarWinds. They don't provide information about zero-day vulnerabilities and other threats such as:

• Identity and Access Management Issues: Issues like hardcoded credentials can result in unauthorized remote access.
• Cryptographic Issues: Problems may arise from the implementation of various cryptographic protocols.
• Data Leakage: Unauthorized data transmission could occur from a device or software.
• Zero-Day Vulnerabilities: Memory corruptions in first-party software are not addressed by SBOMs.

Beyond SBOMs: Finite State's Next Gen Platform

Finite State's Next Generation Platform offers a comprehensive solution that goes beyond SBOMs, providing:

• Extended SBOM Management: Aggregates data from over 120 external sources for a unified and prioritized risk view.
• Robust Security Testing: Ensures comprehensive vulnerability coverage through advanced security testing throughout the development lifecycle.
• Laser-Focused Risk Assessment: Decomposes products and assets into components for precise risk evaluations using world-class binary SCA and enhanced SBOM capabilities.

Why Prioritize Robust Security Testing?

SBOMs play a crucial role in connected auto software security, but they can't cover every kind vulnerability. To bridge their gaps and create a well-rounded security posture, we should prioritize robust security testing at every step of the automotive software development lifecycle.

Identifying a Wider Range of Vulnerabilities

By implementing comprehensive security testing, organizations can identify vulnerabilities that SBOMs may not address. This includes issues like hardcoded credentials, improper implementation of cryptographic protocols, unauthorized data transmission, and zero-day vulnerabilities. Detecting these threats early on can prevent potential breaches and protect sensitive data.

Enhancing Software Quality and Security

Robust security testing not only helps identify vulnerabilities, but it also contributes to the overall quality and security of the software going into connected autos. It ensures that developers adhere to best practices and coding standards, resulting in more reliable and secure software products. In addition, thorough testing can uncover performance bottlenecks, usability issues, and other areas for improvement.

Compliance with Regulatory Requirements

Many industries, including connected automobiles, are subject to strict regulatory requirements when it comes to software security. Implementing robust security testing throughout the development process can help organizations meet these requirements and avoid costly penalties. Regular testing can also demonstrate an organization's commitment to security, building trust with customers and partners.

In the automotive industry, recent regulations, such as UN Regulation No. 155 on Cyber Security and Cyber Security Management Systems, have intensified discussions on vehicle security. This momentum is likely to grow as vehicles become increasingly connected and autonomous, in line with CASE trends. 

Reducing the Cost of Remediation

Addressing security vulnerabilities early in the development process is more cost-effective than fixing issues after a product has been deployed. By prioritizing security testing, organizations can identify and remediate vulnerabilities before they become critical problems, reducing the overall cost and impact on the business.

Adapting to Evolving Threats

The cybersecurity landscape in general, and in automotive, in particular, is constantly changing, with new threats and vulnerabilities emerging regularly. A comprehensive approach to security testing allows organizations to stay ahead of these evolving risks, ensuring that their software remains secure and up-to-date.

How can SBOMs Help Address CASE Cyber Threats?

As the automotive industry increasingly moves toward connected, autonomous, shared, and electric (CASE) vehicles, two major categories of cyber threat issues will emerge:

• the evolution of security compliance frameworks to include CASE usage scenarios, and
• day-to-day operational threats from various actors, such as mischievous hackers and nation-state actors targeting transportation infrastructure

Regarding compliance, CASE vehicles will be subject to specialized frameworks, like ISO/SAE 21434 and UNECE WP.29 R155, as well as general frameworks, such as the NIST Cybersecurity Framework (CSF).

Both specialized and general frameworks will likely require compositional analysis and software provenance, which is where SBOMs will come into play. 

In the context of day-to-day cyber threats, CASE vehicles may face attacks targeting moving vehicles, support infrastructure, and the vehicle supply chain. SBOMs can be useful in addressing these threats, especially regarding supply chain requirements.

Conclusion

While SBOMs have gained significant attention in the realm of software security and supply chain security, it's important to remember their limitations too.

By recognizing the various classes of vulnerabilities and implementing the holistic approach to security offered by Finite State's Next Generation Platform, we can strive to achieve more robust, secure software systems in the rapidly evolving landscape of CASE vehicles.

Ready to learn more? Watch for our new guide on the role of SBOMs in CASE vehicle cybersecurity and what a comprehensive approach to software security looks like!

Coming soon!