Cybersecurity within the automotive industry has been gaining a strong foothold in recent years, with the development and introduction of various standards and regulations. This includes, as per our previous blog post, a draft standard of the ISO/SAE DIS 21434, released in February 2020. It presents various requirements for automotive organizations on topics such as overall cybersecurity management, risk assessment methods, and post-development phases. Additionally, in June 2020, UNECE’s World Forum for Harmonization of Vehicle Regulations (WP.29) has added 2 new updates regarding cybersecurity and software. The aforementioned updates regarding the ISO/SAE DIS 21434 and WP.29 can be found on our blog page.
This blog post discusses the significance of the latest ISO standard being published by the OpenChain Project, a Linux Foundation project offering solutions to deliver open source with trusted compliance information, in collaboration with the Joint Development Foundation. It focuses on requirements for an open-source license compliance program, with the mission to build trust between organizations exchanging software solutions that comprise open-source software. As of December 1st, 2020, the ISO/IEC PRF 5230 has been published on the ISO database, and is currently being reviewed at the approval stage.
It is the first ISO standard to emerge from the Linux Foundation in fourteen years, and the first fostered by the Joint Development Foundation. Its publication marks a significant departure from the de facto industry standard to formal standardization in prospective sales, procurement, and M&A.
Although the OpenChain ISO standard mainly discusses license compliance, it greatly concerns automotive cybersecurity, because it is important to achieve software component transparency in the supply chain. This can be exemplified by activities promoted by the National Telecommunications and Information Administration (NTIA), such as defining and using software bill-of-materials (SBOM). This process is to enable those in the supply chain to be aware of OSS components and associated known vulnerabilities, to be able to address any potential security concerns.
Furthermore, according to Automotive World, future vehicles will contain more advanced and complex systems based on large software codebases. This includes increased usage of open-source software components (OSS) in automotive vehicles, thus warranting a greater emphasis on establishing a secure software development process, that is OSS.
With continued advancements in regulations, cybersecurity is increasingly gaining attention as a major focus area in the automotive industry. Therefore, it is important for automotive companies to consider prospective requirements on open-source license compliance, in order to address challenges in automotive software development.
Perseus has been deeply involved in the study and development of cybersecurity solutions for the connected car industry for almost a decade. Since our founding in 2016, Perseus has developed a multitude of solutions, including open-source software projects.
Contact our team to learn more.