This website uses cookies to make the content more user-friendly and effective. By using this website, you agree to the use of cookies. You can find additonal information about the use of cookies and the possibility of objecting to the use of cookies here.

26 - 28 February 2019 // Nuremberg, Germany

Conferences and supporting programme

back to day overview
Session 18 - Software Engineering IV - Software Quality II

X-Ray Your Software Supply Chain. Automate Your Security Gates Vortragssprache Englisch

As seen with the IoT-based MIRAI botnet, security vulnerabilities can have their root cause several layers down in the supply chain. This is particularly threating for complex and deep supply chains as prevalent in domains such as automotive and industrial control systems. In this talk, we present our results from security scanning over 120,000 embedded software packages across a wide range of application domains. We automatically decomposed each software package into its component and cross-matched each component with its known security vulnerabilities as recorded in the National Vulnerability Database (NVD). We explain the purpose of the NVD, how to use it and how to make sense of the recorded Common Vulnerability Exposure (CVE) entries. We detail our findings by listing the components that are most commonly used, those that have most commonly a vulnerability as well as their age and the likelihood of existing patches that would remedy the situation. Moreover, we give an overview of the most critical vulnerabilities and the prevalence of “celebrity” bugs still active in embedded software. To remedy the situation, we explain how an automated, trustworthy supply chain process could look like that is built on various scanning and security gates across embedded suppliers, integrators and vendors. In particular, we take into account that many embedded vendors are not security experts. We explain how modern development and automated analysis solutions and methods such as static analysis, fuzz testing and composition analysis can assist market participants to deliver safer and more secure products faster. Finally, we highlight the role regulators are starting to play and demonstrate this by current activities in the supply chain certification space. We round off the talk by presenting lesson learnt and immediate suggestions the audience can explore in their own supply chain and software development lifecycle.

--- Date: 28.02.2018 Time: 4:30 PM - 5:00 PM Location: Conference Counter NCC Ost



The selected entry has been placed in your favourites!

If you register you can save your favourites permanently and access all entries even when underway – via laptop or tablet.

You can register an account here to save your settings in the Exhibitors and Products Database and as well as in the Supporting Programme.The registration is not for the TicketShop and ExhibitorShop.

Register now

Your advantages at a glance:

  • Advantage Save your favourites permanently. Use the instant access – mobile too, anytime and anywhere – incl. memo function.
  • Advantage The optional newsletter gives you regular up-to-date information about new exhibitors and products – matched to your interests.
  • Advantage Call up your favourites mobile too! Simply log in and access them at anytime.