Integrity strategy expanded to make automotive software safer and more secure

With more than 100 million lines of code in modern cars - increasing connectivity and the imminence of autonomous driving - secure software development practices, vetted testing tools and standards compliance are essential for automotive manufacturers and their suppliers. To address these critical needs, Synopsys is enhancing its Software Integrity Platform to support existing functional safety standards and is collaborating with automotive industry stakeholders to establish new standards that focus on cyber security.

ISO 26262 is an international standard, based on the more generic IEC 61508 safety standard, which specifically addresses possible hazards caused by malfunctioning electronic and electrical systems in road vehicles. The standard requires essential tools used in the development of safety critical systems to be independently certified.

Independent certification body TÜV SÜD Product Service, has certified that Coverity and Test Advisor - two of the applicable tools in Synopsys’ Software Integrity Platform used for static analysis and test optimisation respectively, are compliant with the ISO 26262 and IEC 61508 standards.

To learn more about how Coverity and Test Advisor can streamline the development of ISO 26262 compliant software, a whitepaper ‘Meeting ISO 26262 Guidelines with the Synopsys Software Integrity Platform’ can be downloaded below.

Going beyond current standards

In addition to providing solutions that support existing industry standards such as ISO 26262 and MISRA (The Motor Industry Software Reliability Association), Synopsys is collaborating with vehicle manufacturers, their suppliers and other industry stakeholders to establish new standards that go beyond functional safety and coding guidelines to specifically address cyber security risk throughout the software development lifecycle and software supply chain.

Catalysed by the widely publicised remote vehicle hack demonstrated by Charlie Miller and Chris Valasek and the subsequent recall of nearly 1.4 million vehicles, Synopsys has produced and is freely distributing a sample procurement document for establishing basic software security testing requirements across the automotive supply chain.

Shortly after the vehicle hack, Mike Ahmadi, Synopsys’ Global Director of Critical Systems Security convened with several representatives from automotive manufacturers and suppliers to form a grassroots working group that was recently formalised as the Cybersecurity Assurance Testing Task Force under SAE (TEVEES18A1). The task force’s charter is to create a consistent framework whereby all systems and components throughout the extended automotive supply chain can be evaluated against a common set of criteria. Ahmadi, who has extensive experience working with standards bodies, actively contributes to the task force’s community driven efforts to develop new cyber security standards for the automotive industry.

Evolving automotive software challenges

In its ‘Connected Car Driving Change in the Defect Detection’ whitepaper, VDC Research reported that some modern vehicles contain over 100 electronic control units (ECU) and greater than 100 million lines of code, and the automotive industry as a whole lacks the cognisance, resources and institutionalised best practices necessary to test and secure systems at the pace in which they're being introduced.

“The automotive industry, which has by and large revolutionised modern quality assurance and supply chain management practices on the hardware front, needs to evolve to address the challenges of developing and testing secure software,” said Chris Rommel, Executive Vice President of IoT and Embedded Technology at VDC Research.

“As the automotive industry turns to connectivity and increasingly complex, interconnected software systems to drive innovation, the risks of insecure software development practices and poor software supply chain management are now a board level concern,” said Andreas Kuehlmann, Senior Vice President and General Manager of Synopsys’ Software Integrity Group. “Mitigating these risks will require close industry collaboration, as well as advanced testing methodologies and comprehensive tool suites.”

Software Integrity Platform

Synopsys’ Software Integrity Platform is based on an integrated development and testing methodology pioneered by Synopsys called ‘software sign-off’. Software sign-off implements a series of automated testing processes at critical progression points throughout the software development lifecycle and software supply chain to elevate confidence in the quality and security of software.

• Coverity solution: Synopsys’ ISO 26262 certified static code analysis tool automatically identifies critical quality defects and security vulnerabilities in source code.
• Test Advisor solution: Synopsys’ ISO 26262 certified test optimisation tool improves the efficiency of automated software testing by analysing and prioritising code change impact.
• Protecode solution: Synopsys’ software composition analysis tool identifies known vulnerabilities and license risks in third party software.
• Defensics solution: Synopsys’ intelligent fuzz testing tool discovers unknown vulnerabilities in a software systems’ communication protocols such as CAN BUS, Bluetooth and WiFi.