Skip to content

How CARIAD Is Getting Ready for ISO 21434 and Improves Secure Software Development




5000 employees

Wolfsburg, Germany

The Results

CARIAD Implemented New Testing Approaches to Improve Volkswagen's Software Security

   Automatic security tests with every merge request
  Reproducible and debuggable results without false positives
  Meaningful bug reports with code coverage

The Challenges

The Challenges of Testing Automotive Software


Evolving Industry Standards

New regulations require extended security tests and propose automated fuzz testing as a complementary approach to penetration testing (UNECE WP.29, ISO 21434).  

False Positives

Software Composition Analysis (SCA) and Static Application Security Testing (SAST) are widely used in automotive software security. These methods automate the testing processes to a degree, but they also put out many false positives, which are highly time-consuming

Growing Dependencies 

Automotive software systems tend to have many dependencies, which makes them particularly difficult to secure. Existing testing approaches, such as Manual Testing and Static Analysis, often do not provide sufficient security to cope with the complexity of these applications. 

"Continuous fuzzing with sanitizers is a must-have, especially, but not only, when it comes to memory-unsafe languages such as C/C++."

Andreas Weichslgartner
Security Professional, CARIAD


The Success

Why Volkswagen Evaluated Automated Fuzzing Approaches

CARIAD, Volkswagen Group’s new software house, is building one unified software platform for all Volkswagen brands to provide them with reliable software and digital best practice. Developers at CARIAD ran an extensive campaign to improve the security and reliability of their code, including their operating system (VW.OS). 

For this purpose, they explored several fuzz testing methodologies, because fuzz testing proved to be particularly effective for detecting bugs in automotive softwareInternally, CARIAD will even make fuzz testing mandatory for particularly critical projects, starting in 2022. The project team was now specifically searching for a fuzzing solution that allowed them to automatically conduct continuous fuzz testing throughout their entire CI/CD.

Redefining Automated Security Testing

By integrating continuous fuzz testing into their CI/CD, the project teams are now able to easily test and debug the code they receive from their suppliers.

Effortless Debugging Without False Positives

In terms of bug findings and efficiency, fuzz tests enabled the developers to fix bugs early in the development process, without false positives. 

Code Coverage Reporting

By implementing advanced fuzzing solutions,  such as the CI Fuzz testing platform, CARIAD is now able to automate and improve its coverage reporting. This allows developers to draw further conclusions about their tests and helps them to achieve reproducible testing results. 

The Solution

Continuous Fuzzing With the CI Fuzz Testing Platform

CARIAD implemented the CI Fuzz testing platform in their CI/CD to redefine the security and quality testing of their software.  Developers at CARIAD are now able to fix business-critical bugs fast and without false positives, which leaves them more time for other tasks. 

Watch the webinar recording to learn how CARIAD implemented Code Intelligence’s testing platform, enabled software engineers to accurately weed out severe issues early in the development process, and complied with industry regulations such as ISO 21434.

Book a Demo
Overall, this evaluation is a good example of the CARIADs developer-first approach and will be a blueprint for other Volkswagen ventures in the future. Continuous fuzz testing will bring CARIAD one step closer to their goal of fully automating and integrating Volkswagen's testing efforts until 2025.