Sast And Sca Solutions Essential To Meeting Un Regulation No. 155 For Vehicle Cybersecurity – Security Boulevard

SAST and SCA Solutions Essential to Meeting UN Regulation No. 155 for Vehicle Cybersecurity – Security Boulevard

The Home of the Security Bloggers Network
Home » Security Bloggers Network » SAST and SCA Solutions Essential to Meeting UN Regulation No. 155 for Vehicle Cybersecurity
The World Forum for Harmonization of Vehicle Regulations (WP.29) of the United Nations Economic Commission for Europe (UNECE) is a global regulatory forum within the UNECE Inland Transportation Committee. WP.29 drafted a regulation, No. 155, addressing vehicle cybersecurity and cybersecurity management systems (CSMS).
UN R155 requires that automobile manufacturers take cybersecurity seriously and demonstrate security best practices. While the regulation is directed at manufacturers, it has ramifications throughout the automotive supply chain and affects all vehicle OEMs, suppliers and contractors. Manufacturers apply for approval for conformance to the regulation with complete documentation on the cybersecurity measures in place during design, development and production. The regulations main goals include:
UN R155 is required for automobile sales in 54 member countries. Although the United States and China, for example, are not members of the UNECE, the prediction is that the regulation will become a de facto worldwide standard.
The implementation of a certified Cybersecurity Management System (CSMS) is a fundamental aspect of UN Regulation No. 155 and defined as follows:
‘”Cybersecurity Management System (CSMS)” means a systematic risk-based approach defining organizational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks.’
The establishment of the CSMS includes comprehensive cybersecurity management of the entire vehicle lifecycle:
ISO/SAE 21434 shares the same aims as the UN R155. In fact, the Proposal for Interpretation Document (WP.29-182.05) clarifies the requirements of UN R155 and provides guidance on what can be used for evidence to prove conformance to the standard. This document includes a link between ISO/SAE 21434 and UN R155 (see Section 6 of WP.29-182.05.) Although ISO/SAE 21434 is not the only way to satisfy requirements it is probably a good choice:
“The standards referenced are intended as examples, not mandatory. Nevertheless, a coherence-check (see section 6 “Link with ISO/SAE DIS 21434 (E)”) has shown that especially the ISO/SAE DIS 21434 can be very supportive in implementing the requirements on the CSMS to the organizations along the supply chain” – WP.29-182.05
The UN R155 states in paragraph, that “The vehicle manufacturer shall demonstrate that the processes used within their Cybersecurity Management System ensure security is adequately considered, including risks and mitigations listed in Annex 5.” Where Annex 5 contains seven high-level and 30 sub-level descriptions of vulnerabilities and threats, including 69 attack vectors that directly affect vehicle cybersecurity.
Annex 5 serves as a guide for developers to better understand and mitigate these attack vectors. Although not a comprehensive checklist, Annex 5 is a useful resource for manufacturers. Static Application Security Testing (SAST) tools play an important role in detecting and preventing many of the root causes of these vulnerabilities.
UN R155 continues in part e, of paragraph, that “The vehicle manufacturer shall demonstrate that the processes used within their Cybersecurity Management System ensure security is adequately considered, including risks and mitigations listed in Annex 5. This shall include: e) The processes used for testing the cybersecurity of a vehicle type;” WP29-182-05e, recommends this include the processes for handling vulnerabilities identified during testing, and justification for cybersecurity tests that include “vulnerability scanning.” SAST fits in well with the guidelines here.
SAST tools are useful in augmenting existing implementation and testing practices and are meant to provide discovery and mitigation of several classes of vulnerabilities. Consider the following strengths of SAST tools which apply for both secure and safety critical development.
In addition, SAST tools help with vulnerability detection and discovery ensuring no unreasonable risk remains in the product. For example, SAST tools provide the following capabilities:
A key aspect of implementing CSMS is extending security risk management to suppliers. Automobiles are made from thousands of parts and software from hundreds of suppliers. Any component that can potentially pose a security threat. Section of UN R155 says:
“The vehicle manufacturer shall be required to demonstrate how their Cybersecurity Management System will manage dependencies that may exist with contracted suppliers, service providers or manufacturer’s sub- organizations.”
To fulfill this, WP.29-182.05 indicates that understanding the inherited risk of the supply chain:
The requirement may be considered fulfilled if all the following statements are true
Adopting software supply chain risk management and using software bills of materials (SBOMs) to facilitate this goes a long way to improving security posture.
As with physical BOMs which are used to manage the parts supply chain, SBOMs help monitor and manage software components for security vulnerabilities and licensing issues. This also means better supplier decisions based upon actionable information in SBOMs.
Integration of software composition analysis (SCA) in this manner and using SBOMs as a critical development artifact on a regular basis, has many benefits, including:
SCA tools such as GrammaTech CodeSentry can analyze open source, third-party and commercial off the shelf (COTS) software and determine the constituent components even when the only available media are binary files. In doing do, it generates an SBOM and vulnerability report which determines the risk of the identified open source components. SBOMs also provide:
SBOMs are an important artifact in the software supply chain and will become the common way to assure the provenance and security requirements of software acquired in the automotive software supply chain.
SBOMs, SCA, and SAST tools clearly play an important role in the development of safe and secure automobile software and vehicle manufacturing. As part of Cybersecurity Management System required by UN Regulation 155, tools play an important role in ensuring security during the development and testing of code used in automotive systems. SCA tools play an important role in generating and verifying SBOMs for open source and third-party software to ensure the security and integrity of the software supply chain.
Furthermore, SAST tools assist the software development team in adhering to the guidelines and standards for ensuring software quality, safety, and security. SAST tools, when used in conjunction with continuous integration and delivery pipelines, automate the detection and prevention of vulnerabilities before they enter the code repository.
Ptq.gif?A=582328&Amp;K=14&Amp; And Sca Solutions Essential To Meeting Un Regulation No. 155 For Vehicle Cybersecurity&Amp;Bu=Https%253A%252F%252Fblogs.grammatech
*** This is a Security Bloggers Network syndicated blog from Blog authored by Mark Hermeling. Read the original post at:
More Webinars
Security Boulevard Logo White
Blog Ad 770X330 1 2


Leave a Comment

Leave a Reply

Your email address will not be published.

Fujitsu strengthens security practice with acquisition of leading New Zealand cybersecurity firm InPhySec – Fujitsu

(2022 – 2028) Enterprise Cyber Security Solutions Market Size, CAGR Status, Market trends, Analysis and Forecast | North America, Europe, Asia & Pacific – NewsOrigins

Jet2 issues Covid cyber security warning to passengers flying from Stansted – Essex Live

Top Security Tips for Business Owners | Philly Bite Magazine – PhillyBite Magazine