Software Security
Software security can be viewed from several perspectives.
First, the organization developing the software must implement a secure process to ensure that the products it develops can be trusted. This can be done as part of a continuous integration / continuous distribution process (CI/CD), implementing and mastering the Software Development Life Cycle (SDLC).
Second, within the organizational framework and processes, secure software design must be enforced, using for example secure coding rules and vulnerability assessment.
Finally, the objective of the developed software product will be to allow users to perform secure functions and services. Thus, the software system, and the data it processes must be trustworthy.
The iSE neo platform comes with its associated Software, which includes
- the necessary drivers for its Hardware IPs,
- the security configuration and boot code needed to wake up and verify the device at startup,
- and the necessary firmware to implement all the services needed by the system:
iSE neo secure boot, including verification of the Harware IPs integrity and of the firmware authenticity, 1st level host boot, firmware authentication during run time, life cycle management and secure firmware updates in the field, Secure key provisioning and storage.
The firmware comes with the documentation explaining its operation and the list of available commands.
It is validated according to Cert-C and MISRA-C, and it is compatible with PSA, EVITA or AutoSAR MCAL (options enabled on demand).
Security can be implemented as part of an organizational security and quality process, for example by following recommendations of standards such as the ISO21434 on automotive cybersecurity. It can also benefit from CI/CD and SLDC guidelines and best practices, which are commonly used in modern software development.
Software products should be developed implementing coding rules appropriate to the standards and market segment being addressed, and verified throughout the development cycle with appropriate static and dynamic tools. Vulnerability assessment can be performed during the development cycle.
Common Weakness Enumeration (CWE) can be used as a reference checklist, and Common Vulnerability and Exposures (CVE) can be used on a regular basis as a source of information on issues to avoid or solve in products already on the market, or on tools and libraries that may be in common use: software tools should always be up to date and no obsolete version should be used. CVE may also receive new information if a vulnerability is discovered.
The security software may be used to perform various services such as key generation or key derivation, with the generated keys being used in various cryptographic operations.
The security software may also be used to perform various cryptographic functions, either symmetric encryption and decryption, public key encryption or decryption, and digital signature generation and validation, and used for example for user authentication.
This last point is addressed by Secure-IC’s Software Cryptographic Library solution. This solution embeds multiples software implementations of cryptographic algorithms such as AES, RSA-based cryptography, ECC-based cryptography and hash and MAC functions.