Skip to main content

Open Source Security for
the Automotive Industry

Open source is fueling the connected car.
But could open source vulnerabilities stall its progress?

Get the Report

IHS Automotive forecasts that there will be 152 million actively connected cars on roads worldwide by 2020. As automobiles and other vehicles become more intelligent and connected, they are increasingly dependent on software built with open source. This fuels innovation, but failure to track and manage open source components and vulnerabilities can have catastrophic consequences; stolen customer data, costly recalls, damage to reputation, and with autonomous vehicle technologies, even personal injury or loss of life.

To stay ahead of these risks, automotive OEMs, suppliers, technology firms, and other players in the automotive supply chain need to proactively manage their use of open source.

Open Source License & IP Risks

The automotive industry is forecasted to spend $20B to $30B on autonomous driving technology through 2022, with revenues from safety, autonomous driving, and connected services estimated to grow from $36B to $156B. This growth is largely driven by open source infotainment platforms like those adopted by GM and Ford, and fueled by industry alliances like GENIVI and AUTOSAR.

As auto industry manufacturers and suppliers seek to differentiate and compete based on connected car technology, protection of software intellectual property is an increasing concern, made more difficult by the complexity of the automotive technology supply chain. Open source hidden within applications and vehicle components can carry reciprocal licenses which threaten your intellectual property, or conflicting license requirements which can prohibit the commercial use of critical technologies. As seen in other industries, remediation of these open source license compliance issues can also be costly.

  • We found that, in addition to ensuring compliance, Black Duck helps us to be more productive simply by avoiding issues right from the beginning, thus avoiding unnecessary rework.

    - Rubens Sarracino Systems Architect, Magneti Marelli

Automotive Vulnerabilities

Today’s car is a mobile computer, running between 100 million and a staggering 1 billion lines of code, often including of a significant number of open source components. Researchers have identified an average of 10 entry points a malicious hacker could exploit to compromise a typical vehicle’s software. Recent highly publicized hacks of critical vehicle systems have raised public awareness and increased pressure on manufacturers & suppliers.

As more connected vehicles hit the roads, unpatched open source vulnerabilities are becoming accessible to malicious hackers using cellular networks, wifi, and hardline connection to exploit them. Failure to address these risks during development can be a costly mistake. By 2015, software recalls represented 15% of total vehicle-related recalls, up from 5% in 2011. At an estimated cost of $300 per vehicle, the 51 million US automotive recalls in 2015 cost an estimated $3B. While new regulations in the US and UK will increase these costs in the future. However, the real risks of high-profile hacks may be deterioration in driver safety, customer confidence, and brand reputation.

Secure and Manage Open Source with Black Duck

If your company builds software for the automotive industry, Black Duck can help you realize the benefits of open source while minimizing these security and license compliance risks. With Black Duck, you can build fast and stay secure by automating and integrating open source management with your agile DevOps tools and processes.


  • Inventory all open source components in use in your applications.
  • Find modified, partial, and dynamically sourced components.


  • Identify known vulnerabilities and license risks that affect your code.
  • Get real same day alerts as new vulnerabilities are reported.


  • Define and automate enforcement of open source security and use policies.
  • Prioritize and track remediation activities.