As the automotive industry shifts gears towards connected, autonomous, shared, and electric (CASE) vehicles, robust cybersecurity programs are becoming increasingly essential navigators on this transformative journey.
The software bill of materials (SBOM) has emerged as a critical component of this emerging landscape. SBOMs deliver continuous visibility into the composition of the software that powers connected devices in today's automobiles.
With SBOMs, product security teams can more easily identify vulnerabilities, manage updates, and ensure compliance with licensing.
Though critical to any connected device security program, SBOMs represent just one aspect of software security. But, what are the limitations of SBOMs? And how can they be overcome?
SBOMs, along with surrounding ecosystem tools such as vulnerability reporting through VEX, help users identify vulnerabilities in third-party components included in the products they make or use when manufacturing today's connected autos.
SBOMs play a vital role in managing vulnerabilities that stem from auto industry software supply chains, particularly those originating from open-source components.
Even with everything that SBOMs do and enable, SBOMs have limitations. Primarily, SBOMs address known vulnerabilities, but they can't prevent attacks like SolarWinds. They don't provide information about zero-day vulnerabilities and other threats such as:
Finite State's Next Generation Platform offers a comprehensive solution that goes beyond SBOMs, providing:
SBOMs play a crucial role in connected auto software security, but they can't cover every kind vulnerability. To bridge their gaps and create a well-rounded security posture, we should prioritize robust security testing at every step of the automotive software development lifecycle.
Identifying a Wider Range of Vulnerabilities
By implementing comprehensive security testing, organizations can identify vulnerabilities that SBOMs may not address. This includes issues like hardcoded credentials, improper implementation of cryptographic protocols, unauthorized data transmission, and zero-day vulnerabilities. Detecting these threats early on can prevent potential breaches and protect sensitive data.
Enhancing Software Quality and Security
Robust security testing not only helps identify vulnerabilities, but it also contributes to the overall quality and security of the software going into connected autos. It ensures that developers adhere to best practices and coding standards, resulting in more reliable and secure software products. In addition, thorough testing can uncover performance bottlenecks, usability issues, and other areas for improvement.
Compliance with Regulatory Requirements
Many industries, including connected automobiles, are subject to strict regulatory requirements when it comes to software security. Implementing robust security testing throughout the development process can help organizations meet these requirements and avoid costly penalties. Regular testing can also demonstrate an organization's commitment to security, building trust with customers and partners.
In the automotive industry, recent regulations, such as UN Regulation No. 155 on Cyber Security and Cyber Security Management Systems, have intensified discussions on vehicle security. This momentum is likely to grow as vehicles become increasingly connected and autonomous, in line with CASE trends.
Reducing the Cost of Remediation
Addressing security vulnerabilities early in the development process is more cost-effective than fixing issues after a product has been deployed. By prioritizing security testing, organizations can identify and remediate vulnerabilities before they become critical problems, reducing the overall cost and impact on the business.
Adapting to Evolving Threats
The cybersecurity landscape in general, and in automotive, in particular, is constantly changing, with new threats and vulnerabilities emerging regularly. A comprehensive approach to security testing allows organizations to stay ahead of these evolving risks, ensuring that their software remains secure and up-to-date.
As the automotive industry increasingly moves toward connected, autonomous, shared, and electric (CASE) vehicles, two major categories of cyber threat issues will emerge:
Regarding compliance, CASE vehicles will be subject to specialized frameworks, like ISO/SAE 21434 and UNECE WP.29 R155, as well as general frameworks, such as the NIST Cybersecurity Framework (CSF).
Both specialized and general frameworks will likely require compositional analysis and software provenance, which is where SBOMs will come into play.
In the context of day-to-day cyber threats, CASE vehicles may face attacks targeting moving vehicles, support infrastructure, and the vehicle supply chain. SBOMs can be useful in addressing these threats, especially regarding supply chain requirements.
While SBOMs have gained significant attention in the realm of software security and supply chain security, it's important to remember their limitations too.
By recognizing the various classes of vulnerabilities and implementing the holistic approach to security offered by Finite State's Next Generation Platform, we can strive to achieve more robust, secure software systems in the rapidly evolving landscape of CASE vehicles.
Ready to learn more? Watch for our new guide on the role of SBOMs in CASE vehicle cybersecurity and what a comprehensive approach to software security looks like!
Coming soon!