DevSecOps for Automotive: Accelerating Development and Bolstering Cyber Security of Software-Defined Vehicles
The automotive industry is in the midst of a major transformation – and this shift is being powered by software. With ten times more lines of code than a fighter jet, today’s software-defined vehicles (SDVs) are aptly referred to as “code on wheels.”
While revolutionizing the way OEMs build cars, this software-powered shift has also introduced new risks and challenges. As cars become more technology-centric, they are increasingly exposed to software vulnerabilities and cyber security threats. In terms of functionality, OEMs need to integrate components from multiple software vendors, ensure development of secure high-quality code, and support ongoing software updates (OTA). At the same time, OEMs must make sure their vehicles comply with complex and stringent standards and regulations (e.g., UNR 155/156, ISO 21434, ASPICE, etc.).
To overcome these challenges, OEMs are seeking tools that will allow them to rapidly develop vehicle software, integrate cyber security within the development cycle, and shorten time-to-market.
Implementing Security By Design with DevSecOps for Automotive
In a world where cyber security is essential for vehicle functionality and safety, it’s imperative to integrate security measures early in the development process. An issue or vulnerability detected during development is much easier to fix than one detected after the car has been rolled out – not to mention the cost and reputation damage of a recall.
DevSecOps extends the principles of DevOps to incorporate cyber security seamlessly throughout the software development lifecycle. It automates the integration of cyber security practices at every phase of the software development lifecycle – from initial design through integration, testing, delivery and deployment. This proactive approach ensures that cyber security is an integral part of product design, rather than an afterthought.
Introducing the Argus DevSecOps Platform
Using state-of-the-art tools and methods designed specifically for the automotive sector, Argus has built a comprehensive DevSecOps platform, aimed at helping automakers leapfrog into the new software-defined world. Leveraging our proven cyber security and testing capabilities, this first-of-its-kind platform automates the entire DevSecOps process – from design to operations.
It helps accelerate development and testing by embracing shift-left and security-by-design concepts. This allows development teams to shorten time between updates, reduce costs and better meet market demand for functional flexibility.
The Argus DevSecOps Platform comprises the following modules:
- Security AutoDesigner: Performs automated Threat Analysis and Risk Assessment (TARA) and proactively identifies potential threats and vulnerabilities during the architecture design stage (prior to actual development).
- Security AutoTester: Brings automotive software developers enterprise-grade automatic security testing such as fuzz and penetration testing, including ~200 packaged test cases for comprehensive coverage. Automation accelerates time-to-value, enabling quick fixes and testing reruns for detected vulnerabilities.
- Code Security Manager: Provides an advanced set of static (whitebox) and dynamic testing capabilities to identify vulnerabilities. The Advanced Software Composition Analysis (SCA) module extracts the software bill of materials (SBOM) and examines code for vulnerabilities using security and application intelligence. Automated compliance verification enables OEMs to extend existing CI/CD pipelines to include continuous compliance (CC) and create the foundation for a secure software development lifecycle (SSLDC).
- SW Supply Chain Security: Automatically extracts the SBOM from binaries including AUTOSAR, Linux and Android and manages ECUs, hardware components, and software library assets per project or vehicle model.
One Coherent Platform Leveraging Automotive Cyber Security Expertise
The DevSecOps platform leverages Argus’s deep understanding of vehicle architectures, protocols and networks, as well as our vast experience in cyber technologies and research.
For over a decade, Argus has been providing OEMs and Tier 1s with a full range of cyber security compliance, engineering, testing and operations services for all stages of the product life cycle. These services, such as code review, penetration testing and TARA, ensure vehicles are secured-by-design in accordance with industry standards and regulations to strengthen manufacturers’ cyber security posture and facilitate compliance.
Over the past few months, Argus has productized these lifecycle cyber security capabilities and tools into one coherent and consistent platform that automates the entire DevSecOps process – from design and build to testing and operations. Until now, point solutions have been available from different vendors – but integrating them into a single automated process is a huge undertaking for most OEMs. The Argus platform does that for you.
Bottom Line: Rapid Development, Secure Code, Faster Time-to-Market
The safety and security of tomorrow’s software-defined and autonomous vehicles hinge on the ability of OEMs and their suppliers to secure software development processes. By adopting a cyber security-by-design approach for SDV development, OEMs can accelerate production timelines, enhance business agility, and gain a competitive edge going forward.
The Argus DevSecOps Platform helps OEMs and their suppliers modernize their toolchain using a comprehensive set of the most advanced capabilities available today. Based on a shift-left, proactive approach, this breakthrough platform streamlines SDV development and improves product quality in terms of cyber security, code quality and compliance.
