Cybeats’ tool provides a “strong sense” of where the software running on the vehicle comes from and whether it poses any risks to either the operation of the vehicle or the data the vehicle collects, said APMA President Flavio Volpe.
“We think about 75 per cent of software in this business is open-source,” Volpe said. “Well, the amount of open-source software makes the data that you create potentially at risk, or suspect.”
Unlike proprietary closed-source software, the code of which is tightly guarded, the underlying code for open-source software is readily available. This shortens development times by giving programmers the ability to edit or build on code that’s already proven, but also exposes the code to bad actors.
Software supply-chain transparency will become more of a priority in the coming years, Volpe said, as EVs have a “dramatically larger” digital footprint than their internal-combustion-engine cousins and thus a greater number of open-source vulnerabilities.
A BILLION LINES OF CODE
The typical vehicle today contains 10 million to 50 million lines of code that allow disparate components to function in a vehicle, Raidman said. By the time fully autonomous technology emerges, Cybeats expects that will grow to one billion lines.
For each vehicle part that runs software, Cybeats’ technology keeps an ingredient list known as a software bill of materials (SBOM). The company’s management platform, called Studio, does not sift through every line of code but monitors the open-source dependencies for vulnerabilities.
Because about 80 per cent of automotive software is built from open sources, it is a “very significant attack vector” within the software supply chain, Raidman said.
A vendor going out of business and no longer updating its software is just one instance that would put the underlying software at risk, he said.
“You want to know about this because