Editor’s Note: You can view the rest of my conversation about application and supply chain security, featuring Joshua Corman of Akamai and Chris Wysopal of Veracode by visiting Veracode’s web site. – PFR
You’re in the market for a new car, and you’ve made a list of the features you want: a cool, tablet style interface for the audio and navigation system, side impact airbags for the front and rear compartment, a pop-up third row of seating. Heck, maybe you even want to hold out for the automatic seat temperature control that some Lexus cars now come with. While you’re at it, how about some secure software, too?
That last item probably isn’t on most buyers’ check list today, but it may be soon, according to two, prominent security experts: Chris Wysopal, of Veracode, and Joshua Corman of Akamai. Speaking on Talking Code, an exclusive video hosted by The Security Ledger and sponsored by Veracode, the two warn that manufacturers of everything from cars to medical devices are doing a poor job balancing functionality with security, even as they trumpet the safety features of their products.
“The difference between safety and security is that, with security, there’s an adversary,” said Wysopal. “That’s very hard for these engineers to understand. They don’t understand that there are people out there who want to do bad things to their system, and they don’t understand how they can do those bad things.”
“They’re thinking ‘is there a password to access the system? Is there authorization so one person can’t access another’s account?”‘ Wysopal told The Security Ledger. But true application security is a much broader problem that takes into account the “failure modes” of the software and how they could be exploited to gain control over the operation of a system, he said.
Joshua Corman, the Director of Security Intelligence at Akamai Technologies, said that the advent of security as an issue for products like automobiles is akin to the safety revolution in the 1960s, 70s and 80s, as regulators mandated features like seat belts in cars, often over the objections of car makers.
“The auto industry thought safety would destroy innovation and cost too much and buyers would hate it,” Corman said. “Today you have the five star crash rating system and if you want a really safe car for your kid, you have signals to help you steer that and price it. I can’t tell you the difference between a two star and a three star rating, but I can tell you I probably want a three.”
Alas, security complex software applications is harder than installing a seat belt in a car, and Corman says that there’s currently little incentive for software makers to “take security seriously.”
The security of the software that runs automobiles is getting increased attention today – both in the media and in the community of security researchers. Just last month, the security researchers Charlie Miller and Chris Valasek showed how they could manipulate a hybrid car using software based hacks of the electronic control units (ECUs) in a Toyota Prius– disabling the brakes and manipulating the steering wheel and dashboard. And, in May, the National Traffic Safety Administration told Congress that more research is needed into “vehicle cyber security” to address the threats to a coming generation of networked automobiles that connect to the public Internet and to each other.
What’s to be done? Check out our discussion of smart automobiles and security above. Then head over to Veracode and register to see the full video, which includes a great discussion of software supply chain security and the security implications of using packaged code.