Skip to content
Cariad_Logo

How CARIAD Is Getting Ready for ISO 21434 and Improves Secure Software Development

 


Industry
Automotive

Department
Testing

Size
4500 employees

Location
Wolfsburg, Germany

The Results

CARIAD Implemented New Testing Approaches to Improve Volkswagen's Software Security

 
   Automatic security tests with every merge request
 
  Reproducible and debuggable results without false positives
 
  Meaningful bug reports with code coverage
 
getting ready

The Challenges

The Challenges of Testing Automotive Software

 

Evolving Industry Standards

New regulations require extended security tests and propose automated fuzz testing as a complementary approach to penetration testing (UNECE WP.29, ISO 21434).  
 

False Positives

Software Composition Analysis (SCA) and Static Application Security Testing (SAST) are widely used in automotive software security. These methods automate the testing processes to a degree, but they also put out many false positives, which are highly time-consuming
 

Growing Dependencies 

Automotive software systems tend to have many dependencies, which makes them particularly difficult to secure. Existing testing approaches, such as Manual Testing and Static Analysis, often do not provide sufficient security to cope with the complexity of these applications. 

"Continuous fuzzing with sanitizers is a must-have, especially, but not only, when it comes to memory-unsafe languages such as C/C++."

Andreas Weichslgartner
Security Professional, CARIAD

Andreas Weichselgartner

The Success

Why Volkswagen Evaluated Automated Fuzzing Approaches

CARIAD, Volkswagen Group’s new software house, is building one unified software platform for all Volkswagen brands to provide them with reliable software and digital best practice. Developers at CARIAD ran an extensive campaign to improve the security and reliability of their code, including their operating system (VW.OS). 

For this purpose, they explored several fuzz testing methodologies, because fuzz testing proved to be particularly effective for detecting bugs in automotive softwareInternally, CARIAD will even make fuzz testing mandatory for particularly critical projects, starting in 2022. The project team was now specifically searching for a fuzzing solution that allowed them to automatically conduct continuous fuzz testing throughout their entire CI/CD.

Redefining Automated Security Testing

By integrating continuous fuzz testing into their CI/CD, the project teams are now able to easily test and debug the code they receive from their suppliers.
 

Effortless Debugging Without False Positives

In terms of bug findings and efficiency, fuzz tests enabled the developers to fix bugs early in the development process, without false positives. 
 

Code Coverage Reporting

By implementing advanced fuzzing solutions,  such as the CI Fuzz testing platform, CARIAD is now able to automate and improve their coverage reporting. This allows developers to draw further conclusions about their tests and helps them to achieve reproducible testing results. 

The Solution

Continuous Fuzzing With the CI Fuzz Testing Platform

CARIAD implemented the CI Fuzz testing platform in their CI/CD to redefine the security and quality testing of their software.  Developers at CARIAD are now able to fix business-critical bugs fast and without false positives, which leaves them more time for other tasks. 

The testing platform automates tedious manual tasks, such as maintaining test corpora. This greatly improves CARIAD's development speed and enables their developers to apply advanced and usable security tests themselves. Check the fuzzcon

 
Enable Continuous Fuzzing With CI Fuzz
Start Free
Overall, this evaluation is a good example of the CARIADs developer-first approach and will be a blueprint for other Volkswagen ventures in the future. Continuous fuzz testing will bring CARIAD one step closer to their goal of fully automating and integrating Volkswagen's testing efforts until 2025. author victorview cheatsheetneed of fuzzing