Eric Brüggemann, the new CEO of Code Intelligence, stepped into the role in September. We asked him about his vision of the role and future of AI and fuzz testing in securing automotive software.
How does Code Intelligence’s AI-driven fuzzing platform address the unique security challenges faced by automotive software developers?
Brüggemann answers:
McKinsey reports that 95% of new vehicles sold globally by 2030 will be connected, and 64% of these cars will at least have advanced driving assistance. In the age of connected cars, cybersecurity is becoming a growing focus.
Starting in 2019, the number of vulnerabilities related to the automotive industry and reported to CVEs (Common Vulnerabilities and Exposures identifiers) is more than 300 each year.
The most frequent issues are memory corruption errors, e.g. buffer overflow, out-of-bounds write, out-of-bounds read, use after free. If a vulnerability or bug slips into production, it will cost the OEMs and their suppliers money to fix it via over-the-air updates or recalls. In 2023, OEMs faced 15% of recall incidents due to automotive software.
In various industries and especially in the Internet core infrastructure, Fuzz testing has proven to be the most effective and fastest way to uncover critical bugs, such as memory corruption. Tech giants like Google and Microsoft have been using fuzz testing to test their products for a decade.
When you fuzz your code, it sends random and unexpected inputs to intentionally cause unexpected behaviors and crashes and uncover bugs and vulnerabilities along the way. If fuzz testing crashes your application, that means attackers will be able to use the same issue when your code is in production.
At Code Intelligence, we’re making premium security testing easy to use by leveraging a combination of testing (static analysis, dynamic whitebox) and AI (large language models, genetic algorithms) components.
Automotive companies turn to Code Intelligence because fuzz testing not only helps them comply with industry standards but also saves many hours of manual work when checking their code for vulnerabilities.
Can you explain how hardware-independent testing benefits automotive companies in reducing development timelines and enhancing software security?
Brüggemann answers:
One of the biggest advantages of white-box fuzz testing, which analyzes the source code, over black-box testing, which doesn’t have access to your code, is that you can execute your code in a Software-in-the-loop simulator. And companies like Continental appreciate it a lot.
As the automotive industry develops many embedded systems, combining software with hardware testing automotive systems is a challenge. The software-in-the-loop testing approach allows companies to run tests entirely in software by simulating the hardware, so you don’t need to actually have the target hardware. Code Intelligence allows automotive companies to test their AUTOSAR applications at the system level in a complete software-in-the-loop manner. By eliminating the need for specialized hardware, you can accelerate the development process and enhance the ability to identify and resolve bugs and security vulnerabilities early in the development cycle.
This approach has been proven effective for a Tier-1 Automotive supplier, for whom a software-in-the-loop fuzzing approach at the system level is crucial because separate modules of an AUTOSAR application are provided by Tier-2 suppliers.
More details on our approach will follow in October 2024, when we officially launch it.
What role does AI play in improving the security testing of automotive software systems?
Brüggemann answers:
At the end of the day, any testing strategy is only as good as its implementation and adoption in people’s daily routines. While the technology to thoroughly test your code has existed for a few years, it has always struggled with the effort and complexity inherent in implementing it.
This is where artificial intelligence comes in - by fully automating the manual steps as part of a software testing workflow, companies are able to fully benefit from the benefits that premium security solutions provide - without going through any of the typically required effort!
While we have always had genetic algorithms as a core artificial intelligence component of our product, starting to leverage large language models has completely changed the way in which we can enable our customers. By essentially enabling them to “point” our automatic testing suite at any code base, no matter the size, complexity or their familiarity with it, and have it automatically create, run and optimize any number of required tests to fully cover the entire source code, we have reduced the typically required effort from over 1,000 hours to a single line of code.
This saves days, even months, of manual work, typically required to fully leverage dynamic testing.
And this is only the start - very soon, our use of AI will be further extended to automatically remediate any identified vulnerabilities, under developers’ guidance.
What role does fuzz testing play in uncovering vulnerabilities that traditional penetration tests might miss, especially in the automotive sector?
Brüggemann answers:
Different approaches to testing software exist. These can include static analysis, dynamic testing, and penetration tests. Each approach has strengths and weaknesses, and they complement each other.
Static analysis, for example, automatically analyzes the code as a type of “spell check”, the moment a developer writes a new line of code. Penetration testing, on the other hand, as a comparatively manual process, is usually implemented very late in the process. It might be done even after the code is already in production, so the identified bugs will be very expensive to fix. Pentesters' toolsets quite often consist of black-box dynamic testing tools, leading to long discussions on how to fix identified issues, as no detailed data for root cause analysis can be provided.
Fuzz testing, like other dynamic testing methods, can be done throughout the SDLC and its primary strength is that it finds vulnerabilities that static analysis misses as it tests the program in execution. Moreover, it does that without any false positives, meaning that every flagged issue needs to be tackled and you can achieve significant time savings once assessing and eventually remediating the results.
Ideally, you test your code statically first, then analyze it dynamically with fuzz testing, uncovering and fixing all critical bugs. Then, penetration testers test everything where fuzz testing couldn’t reach high code coverage, e.g. the correct usage of cryptographic functions and authentication. From our experience, this approach saves up to 80% of pentester effort and time, and retrospectively costs.
How does Code Intelligence's platform help automotive developers reproduce and resolve issues faster, potentially saving weeks of troubleshooting time?
Brüggemann answers:
The beauty of fuzz testing by Code Intelligence is that it analyzes your source code. In other words, it implements a white-box approach, meaning that it has full knowledge of the internal structure of a program.
The true power of Code Intelligence, however, lies in reducing the barriers to entry for companies wanting to benefit from a premium security solution such as whitebox dynamic testing.
In the testing process itself, our platform fully automates the process by identifying the highest priority entry points to test the code, automatically building, executing and optimizing your tests, selecting thousands of tests inputs per minute to test for edge cases and, at the end, providing your with a comprehensive overview of all findings and the achieved coverage.
Whenever Code Intelligence’s fuzz testing crashes the application or identifies bugs, it tells the developer in which line of their code it happens and why it happens - what triggers the bug and what the stack trace is. When adding our integrated debugging workflow, you can jump into troubleshooting right away, knowing everything you need to start fixing them.
Our ultimate goal is to fully automate the remediation part, too. We believe that white-box fuzz testing coupled with AI has all the insights and techniques to make this possible. Add zero false positives, and we get the game-changer.
How does fuzz testing complement other methods like static code analysis in ensuring compliance with industry standards such as ISO/SAE 21434?
Brüggemann answers:
Static and fuzz testing complement each other in many ways.
Firstly, they both are required by ISO/SAE 21434. Static Analysis is required for verification and mentioned in the requirement [RQ-10-10]. Fuzz testing is required to uncover software weaknesses and vulnerabilities, as mentioned in the requirement [RQ-10-12], and it is also required for components rated Cyber Security Assurance Levels (CAL) 2, CAL 3, and CAL 4.
Secondly, they help cover a broader range of potential issues early in development. Static analysis alone can uncover insecure coding practices and malicious Code, but it misses:
- Memory Corruption Problems
- Input Validation Issues
- Protocol Parsing Flaws
- Complex Logic Flaws
- Interaction with External Systems
- Environment-specific Issues
- Security Misconfigurations.
One automotive supplier, a customer of ours, stated that they use both types of testing, and through fuzz testing, they uncover 57% of all vulnerabilities - even though fuzz tests only made up 1% of all their security tests.
How does Code Intelligence’s platform integrate into a developer’s workflow, ensuring that software security testing happens seamlessly during development?
Brüggemann answers:
Automated testing tools help achieve comprehensive and continuous testing, ensure early vulnerability detection, reduce human error, and manage the increasing complexity of vehicle systems.
Crucial for that is integration into CI/CD. Automated testing can be integrated into CI/CD, meaning security vulnerabilities can be identified and resolved early in the development process. This reduces the risk of launching vehicles or systems with security flaws. For example, automated tools can run code analysis every time a developer submits code, flagging potential vulnerabilities instantly.
Code Intelligence’s testing platform integrates into our customers’ CI/CD and provides full visibility into the results of all running tests. Integration automates security checks at every stage of development, ensuring vulnerabilities are caught early and reducing the risk of insecure code being deployed to production.
What advice would you give to automotive companies looking to enhance their software security strategy with AI-driven fuzz testing?
Brüggemann answers:
The future of fuzz testing is here, and it’s powered by AI. If your company has struggled with the complexities of traditional fuzz testing—whether it’s the time-consuming task of analyzing code or writing test cases—now is the perfect moment to explore the latest advancements in AI-driven security testing.
AI can do more than just speed up code development; it can revolutionize how you approach to security, making comprehensive fuzz testing faster, smarter, and more accessible. With AI, the barriers to adopting fuzz testing in even the most complex environments—like legacy systems or large-scale projects—are rapidly disappearing.
Start by integrating AI-driven fuzz testing into your most recent or high-priority projects. Once you see how seamlessly it enhances your processes, you’ll be empowered to extend these benefits across the entire company, including legacy systems.
Conclusion
AI-driven fuzz testing is transforming the future of automotive software security, offering faster, smarter, and more comprehensive protection. With Code Intelligence’s platform, developers can automate security testing and catch vulnerabilities early, saving valuable time and reducing risks. Ready to enhance your software security? Start integrating AI-powered fuzz testing into your development process now. See firsthand how it can simplify your workflow and strengthen your systems. Visit Code Intelligence today to learn more and take the next step in securing your automotive software.