Smart2zero: Programmers and IT developers are under pressure to be productive and delivering their results on time. Therefore, the question is: can these software assessments and risk checks be automated?
Kuehlmann: To some degree. But it’s not only related to automotive. Security has to be a mandate from top down. It has to have the same priority as any feature in the software. As soon as you start trading off you get essentially into organizational conflicts, you get into priority conflict, raising the question to either develop all those features or address the security concept. So, first and most importantly, it’s an organizational and a business decision that needs to be done. The second one is putting a software development process in place that is comprised of training the developers: you know, how do you actually write secure codes, how do you have a secure architecture, and a secure design; followed by the designer start, doing architectural risk analysis and making sure that the design is fundamentally secure. This is a manual process, followed in the development process is using automated tools for standard testing as well as dynamic testing that can’t find vulnerabilities as you actually code it and address it in the development process; and followed by rigorous system testing and penetration testing once you release the code and put the system together. So it’s process; it starts by educating the developers, getting the architecture and the design right, all the way to having rigorous testing before you release. And by the way, this is nothing new in the IT world, it has been around in software development since the beginning of its days.
Smart2zero: Then there is always a kind of tension between security and quality?