Customer Success Story
CARIAD Implemented New Testing Approaches to Improve Volkswagen's Software Security
Automatic security tests with every merge request
Reproducible and debuggable results without false positives
Meaningful bug reports with code coverage
The Challenges of Testing Automotive Software
Evolving Industry Standards
New regulations require extended security tests and propose automated fuzz testing as a complementary approach to penetration testing (UNECE WP.29, ISO 21434).
Software Composition Analysis (SCA) and Static Application Security Testing (SAST) are widely used in automotive software security. These methods automate the testing processes to a degree, but they also put out many false positives which are highly time-consuming.
Automotive software systems tend to have many dependencies, which makes them particularly difficult to secure. Existing testing approaches, such as Manual Testing and Static Analysis, often do not provide sufficient security to cope with the complexity of these applications.
Continuous fuzzing with sanitizers is a must-have, especially, but not only, when it comes to memory-unsafe languages such as C/C++.
Why Volkswagen Evaluated Automated Fuzzing Approaches
CARIAD, Volkswagen Group’s new software house created one unified software platform for all Volkswagen brands and to provide them with reliable software and digital best practice.
During the past months, developers at CARIAD were getting ready to run a campaign to improve the security and reliability of their code, including their operating system (VW.OS). For this purpose, they explored several fuzz testing methodologies, because fuzz testing proved to be particularly effective for detecting bugs in automotive software. Internally, CARIAD will even make fuzz testing mandatory for particularly critical projects, starting in 2022.
The project team was now specifically searching for a fuzzing solution that allowed them to automatically conduct continuous fuzz testing throughout their entire CI/CD.
Redefining Automated Security Testing
By integrating continuous fuzz testing into their CI/CD, the project teams are now able to easily test and debug the code they receive from their suppliers.
Effortless Debugging Without False Positives
In terms of bug findings and efficiency, fuzz tests enabled the developers to fix bugs early in the development process, without false positives.
Code Coverage Reporting
By implementing advanced fuzzing solutions, such as the CI Fuzz testing platform, CARIAD is now able to automate and improve their coverage reporting. This allows developers to draw further conclusions about their tests and helps them to achieve reproducible testing results.
Continuous Fuzzing with the CI Fuzz Testing Platform
CARIAD implemented the CI Fuzz testing platform in their CI/CD to improve the security and quality testing of their software. Developers at CARIAD are now able to fix business-critical bugs fast and without false positives, which leaves them more time for other tasks.
The testing platform automates tedious manual tasks, such as maintaining test corpora. This greatly redefines CARIAD's development speed and enables their developers to apply advanced and usable security tests themselves.
Overall, this evaluation is a good example of the CARIADs developer-first approach and will be a blueprint for other Volkswagen ventures in the future. Continuous fuzz testing will bring CARIAD one step closer to their goal of fully automating and integrating Volkswagen's testing efforts until 2025.