Continental managed to test a large safety module with 18,000 lines of code (LoC) within only one week.
Industry
Automotive
Department
Development
Size
> 230 000 Employees
Location
Hannover, Germany
The Results
Developing Secure Infotainment Systems Faster
Increased Code Coverage
Continental automated their security testing and increased their code coverage (now above 95% in most modules).
Increased Development Speed
The smart bug detection and advanced debugging features of the CI Fuzz testing platform helped the development team to fix all business-critical bugs in the evaluation project within only one week.
ISO 21434/UNECE WP.29 Compliance
Feedback-based fuzzing enables Continental to comply with automotive software security standards such as UNECE WP.29 and ISO/SAE 21434.
Improved Bug Reporting
The CI Fuzz testing platform comes with a detailed bug reporting and insights for each finding. Project managers are now able to automatically report and prove which inputs lead to bugs and critical behavior and how much progress the business unit made since the last sprint.
"Only 1% of all the security tests done for the project where CI Fuzz was used were fuzz tests, but through them, we find about 57% of vulnerabilities.”
Victor Marginean
Global Head of Cybersecurity & Privacy Business Unit HMI // Continental
The First Challenge
Realizing Modern Security Tests In An Embedded Automotive Architecture
Continentals HMI business unit develops systems and solutions for the human machine interface of modern road vehicles. For example, display solutions, head-up displays and cockpit high performance computers. HMI makes processing and managing information simple, intuitive, and reliable.
Infotainment systems in modern vehicles usually communicate with a whole range of external embedded sensors. These dependencies add an additional layer of complexity for security testing, as they typically require plenty of manual effort.
Writing Test Harnessess
Although the Public API documentation is usually available, developers need to write plenty of test harnesses, which is incredibly time-consuming.
Hardware Dependencies
Developers have to secure the communication between the Hardware-Dependent-API and the hardware.
The Second Challenge
Complying With ISO 21434/UNECE WP.29
Due to the new ISO/SAE 21434 and UNECE WP.29, many car manufacturers (OEMs) are expanding their software testing activities. The standard contains regulations for software devices within vehicles, as well as their connectivity to external systems.
Implementing Fuzz Testing
The ISO 21434 and UNECE WP.29 recommend OEMs to integrate feedback-based fuzz testing into their DevOps processes and define new requirements for software security engineering.
How to Get the Developers on Board
Open-source fuzzing solutions are already very effective, but they still require manual tuning and follow-up work for developers. Continental was looking for a professional fuzzing solution they can easily apply in an automotive architecture.
The Solution
CI Fuzz Testing Platform
Continental implemented the CI Fuzz testing platform in their CI/CD to improve their code quality and development speed. CI Fuzz is a CI/CD-agnostic platform for automated security testing. The platform helps developers protect themselves against unexpected edge cases. It empowers them to fix bugs during development and to achieve reproducible testing results.
The Success
Fuzzing Embedded Systems With Dependencies
The CI fuzz testing platform makes it possible to apply modern fuzz testing approaches in an early stage of the software development process. This has automated and simplified the entire testing process because it enabled the developers to perform security tests on their own modules and to fix critical bugs right away.
The CI Fuzz testing platform also enabled the developers to mock their hardware with fuzz data. Continental story succeeded by applying feedback-based fuzzing to their software. They are now able to protect their software against edge cases and unexpected behaviors. For example, if a sensor should send unusual or erroneous inputs.
Get Started With CI Fuzz
Contact our developers to uncover how the CI Fuzz testing platform can help you provide secure and reliable software.
-1.png?width=400&height=251&name=Winter%20road-cuate%20(1)-1.png "Car illustrations by Storyset https://storyset.com/car")
.png?width=319&height=400&name=GDPR-amico%20(1).png "Data illustrations by Storyset https://storyset.com/illustration")
