Soufiane Alami is now a Principal DevOps Cybersecurity Engineer for Fidelity Investments. When we filmed episode 5 of Champions of Security, he worked as a cloud and application security engineer for Ford Motors.
Buckle up, because you’re in for a wild ride.
3 Key Takeaways
Much of what Soufiane and I talk about in this episode involves cars. I learned a ton from Sourfiane about very real-world examples of security in the automotive industry.
Here are the top three takeaways from our conversation.
Key Takeaway #1: Cars are Computers
The first takeaway is that modern vehicles are big computers running a lot of software on wheels. We’re talking about 10,000 APIs for a modern car’s in-vehicle communications functions. The attack surface is huge and risk needs to be managed. Visibility is so important but it’s impossible to cover it all.
Key Takeaway #2: Vehicles are Subject to Unique Attack Methods
There are so many unique attack methods for vehicles. For example, a CAN bus attack can literally control messages that the car uses to perform critical functions. Without needing any physical access, someone can shut off a car’s engine over the internet while the owner is driving the car.
Key Takeaway #3: Bug Bounty Programs Can Be Simple and Effective
Because the attack surface is so large, auto manufacturers depend on security researchers to demonstrate attack vectors. And Soufiane has some insight into what makes a successful bug bounty program.
He recommends clearly defining the scope of the program, communicating the scope of the program to the research community, and providing researchers with access to the tools that they need to do the research. And last but not least, have a remediation team ready to act once those bugs come in.
Thank you, Soufiane, for sharing the automotive industry’s exciting challenges in security.
Check out all the Champions of Security episodes here.