Showing posts with label promise. Show all posts
Showing posts with label promise. Show all posts

Friday, August 31, 2018

Automakers must protect the promise of open-source code

You've heard the old joke about Bill Gates criticizing General Motors, noting that if the company had kept up with technology, then we would be driving $25 cars that got 1,000 miles to the gallon, or some such. And GM responds that if it built cars like Microsoft, then "for no reason at all, your car would crash twice a day."

Though the exchange never happened, it hints at the complex problem facing the auto industry today.

Cars have transformed from the buggies of Henry Ford's Model T into connected devices, streaming navigation, entertainment and other features through infotainment systems that vie to bring the capabilities of a smartphone, and more, to the dashboard.

The 2017 Autotrader Car Tech Impact Study is reported to have found that 53 percent of consumers expect their vehicles to offer the same level of technology as their phones, keeping them connected on the move.

However, manufacturers on their own are unable to produce enough software at scale and pace to keep up with demand.

A report from Visual Capitalist in 2017 showed that car software contains upward of 100 million lines of code. Only Google, with all of its services, was said to have more code in its products.

Automakers know how to make cars that get commuters from A to B. But they have realized that they are not application developers. To help produce the mountain of code that will be required to produce apps that are a joy to use — and not like those GPS interfaces that are reminiscent of Windows 95 — a number of automakers, suppliers and technology firms have come together to share code with one another.

!function(d, s) {var ip = d.createElement(s);ip.async = 1, s = d.getElementsByTagName(s)[0], ip.src = "//s.idio.co/ip.js", s.parentNode.insertBefore(ip, s)}(document, "script");$(function() { $idoWidget = $('#idio-article-recommendations-8'); $imageContainer = $idoWidget.prev().prev(); $imageEle = $imageContainer.children('img'); if ($imageEle && $imageEle.length > 0) { $imageContainer.insertAfter($idoWidget); }});

This is the promise of the open-source software movement, which turned 20 years old this year. The idea behind open source is to allow for developers to make use of the code written by others to build better software without the need to reinvent the wheel themselves every time or purchase commercial products.

Building blocks

The ability to reuse software that is developed and maintained by the community has made open-source code the building blocks of the software industry, allowing developers to work faster and more efficiently by gaining important functions and features for their applications, and concentrating their efforts on the "special sauce" of their proprietary products.

Open-source software such as Linus Torvalds' Linux, which was released in 1991, gave developers over the past two decades the tools to build their products, driving the explosion of innovation that we have witnessed over the past 20 years. The code base of modern applications on the market today is between 60 percent to 80 percent open source. The World Wide Web, smartphones, applications on our PCs — all have benefited from the availability of open-source software that would likely have otherwise evolved at a snail's pace.

To its credit, and out of necessity, the auto industry has embraced this model. One important initiative is the Automotive Grade Linux project under the auspices of the Linux Foundation.

Their Unified Code Base platform has drawn members including Toyota, Honda, Mazda, Oracle, Amazon and many more.

Their goal is to help speed up the development of code for infotainment systems from the glacial 36- to 39-month release schedule, bringing the ecosystem under one roof where all can benefit. The initiative is already bearing fruit, with the 2018 Toyota Camry sporting a system built on AGL's platform.

While infotainment is the jumping-off point, the project hopes to expand to other areas of vehicle software, including connected cars, telematics, safety and even autonomous driving. However, before they hit the road with these more ambitious endeavors, the partners will have to buckle up and prepare to deal with a significant speed bump that could send them veering off the road.

Fear of hacking, especially through the infotainment systems, is a serious consideration for car owners.

Just think about the level of anxiety that will come with self-driving cars. Trust is crucial when you are traveling at 70 mph.

Open-source software, with its clear advantages for developers, comes with security challenges.

Known vulnerabilities

A big concern for software containing open-source libraries and frameworks, or components, is the known vulnerabilities that are published by security advisories and databases such as the National Vulnerability Database so that users can perform fixes when vulnerabilities are found.

The problem is that hackers can see these published vulnerabilities as well, using them to target applications with open-source components without having to put in the work of finding the vulnerability on their own. Securing open-source code is not a simple task, as information regarding vulnerabilities is distributed among the "bazaar" of projects and sources, and not in a singular "cathedral" as we see with large commercial products.

There are also challenges of organizations not keeping track of the open-source components in their products, leaving developers to use vulnerable open-source components that have to be replaced, slowing down the process and adding to the costs.

Application security testing tools that are designed for proprietary software code aren't applicable to open-source components. Organizations need solutions that can give them control over their software development from start to finish, keeping out vulnerable open-source components, and alerting them when new vulnerabilities are discovered post-deployment.

Remember Equifax

As was seen in the 2017 hack of Equifax, which saw criminals make off with personally identifiable information of over 146 million people by exploiting a known vulnerability in the Apache Struts 2 framework, failures in securing open-source components can have serious consequences.

According to reports, the company was unaware that it was even using the vulnerable version of the component.

If projects such as AGL are going to succeed, and the automotive industry is going to continue to participate in sharing code, it will also need to address the issue of how to keep its software secure.

Open source can be the nitrous gas that sends automotive software speeding to the finish line, or it can blow up.

With great power comes great responsibility, and securing the open-source components in their products is something organizations need to prioritize on their journey to building more innovative software.


View the original article here