Menu

 Industry

Automotive

 Department

Testing

 Size

4500 employees

 Location

Wolfsburg, Germany

The Results

CARIAD Implemented New Testing Approaches to Improve Volkswagen's Software Security

 Automatic security tests with every merge request

 Reproducible and debuggable results without false positives

 Meaningful bug reports with code coverage

The Challenges

The Challenges of Testing Automotive Software

 Evolving Industry Standards 

New regulations require extended security tests and propose automated fuzz testing as a complementary approach to penetration testing (UNECE WP.29, ISO 21434).  

 False Positives 

Software Composition Analysis (SCA) and Static Application Security Testing (SAST) are widely used in automotive software security. These methods automate the testing processes to a degree, but they also put out many false positives which are highly time-consuming

 Growing Dependencies 

Automotive software systems tend to have many dependencies, which makes them particularly difficult to secure. Existing testing approaches, such as Manual Testing and Static Analysis, often do not provide sufficient security to cope with the complexity of these applications.  

CARIAD
Continuous fuzzing with sanitizers is a must-have, especially, but not only, when it comes to memory-unsafe languages such as C/C++.
Andreas Weichslgartner
Andreas Weichslgartner
Security Professional, CARIAD

The Success

Why Volkswagen Evaluated Automated Fuzzing Approaches

CARIAD, Volkswagen Group’s new software house created one unified software platform for all Volkswagen brands and to provide them with reliable software and digital best practice. 

During the past months, developers at CARIAD were getting ready to run a campaign to improve the security and reliability of their code, including their operating system (VW.OS). For this purpose, they explored several fuzz testing methodologies, because fuzz testing proved to be particularly effective for detecting bugs in automotive softwareInternally, CARIAD will even make fuzz testing mandatory for particularly critical projects, starting in 2022.

The project team was now specifically searching for a fuzzing solution that allowed them to automatically conduct continuous fuzz testing throughout their entire CI/CD.

 Redefining Automated Security Testing

By integrating continuous fuzz testing into their CI/CD, the project teams are now able to easily test and debug the code they receive from their suppliers.

 Effortless Debugging Without False Positives

In terms of bug findings and efficiency, fuzz tests enabled the developers to fix bugs early in the development process, without false positives. 

 Code Coverage Reporting

By implementing advanced fuzzing solutions,  such as the CI Fuzz testing platform, CARIAD is now able to automate and improve their coverage reporting. This allows developers to draw further conclusions about their tests and helps them to achieve reproducible testing results. 

The Solution

Continuous Fuzzing with the CI Fuzz Testing Platform 

CARIAD implemented the CI Fuzz testing platform in their CI/CD to improve the security and quality testing of their software.  Developers at CARIAD are now able to fix business-critical bugs fast and without false positives, which leaves them more time for other tasks. 

The testing platform automates tedious manual tasks, such as maintaining test corpora. This greatly redefines CARIAD's development speed and enables their developers to apply advanced and usable security tests themselves.

Product CI Fuzz
Start Free

Overall, this evaluation is a good example of the CARIADs developer-first approach and will be a blueprint for other Volkswagen ventures in the future. Continuous fuzz testing will bring CARIAD one step closer to their goal of fully automating and integrating Volkswagen's testing efforts until 2025.