ISO 21434 requires TARA updates as new CVEs emerge. Most processes stop at release.
Black Duck links live vulnerability intelligence to your TARA assets in Polarion. Every new CVE that affects your ECU components recalculates threat ratings and triggers governed response — automatically.
and
TARA is not a project milestone. Under ISO 21434 and UN R155, it is a continuous obligation.
Lines of code in a modern EV — across 100+ ECUs, multiple AUTOSAR domains, embedded Linux stacks, and OTA update systems. Each is a potential TARA asset with changing risk ratings.
Of automotive cyberattacks exploit weaknesses in software systems. Most originate in open-source components in ECU firmware that were never disclosed in supplier SBOMs. Source: Upstream 2024.
Known vulnerabilities in Black Duck's KnowledgeBase — including BDSA advisories for automotive-specific RTOS, AUTOSAR, and embedded cryptographic libraries up to 3 weeks ahead of NVD.
Duration of ISO 21434 and UN R155 post-development cybersecurity monitoring obligation — covering the entire operational life of the vehicle, including vehicles already on the road.
Sources: Upstream Automotive Cybersecurity Report 2024. ISO/SAE 21434 Clause 8.9. UNECE R155 Annex 5. OSSRA 2026.
The type approval audit reviews evidence. The post-launch obligation requires continuous evidence production.
- 01
Binary SBOM from ECU firmware — not just declared components
Black Duck decomposes ECU firmware binaries to identify open-source components even without source code access — covering AUTOSAR Classic/Adaptive, embedded Linux, Android Automotive OS, RTOS kernels, and third-party supplier 'black box' components. The SBOM that UN R155 and EU CRA require is generated from what is actually in the firmware, not what was declared.
- 02
Live TARA linked to vulnerability intelligence
X-DLM™ synchronizes Black Duck vulnerability findings directly to TARA assets in Polarion. Every new BDSA advisory that affects a component in your vehicle SBOM triggers TARA risk recalculation, generates a governed work item with ISO 21434 cybersecurity goal mapping, and routes to the responsible engineering owner with an escalation timeline.
- 03
ISO 21434 lifecycle evidence — from TARA through verified cybersecurity requirement
Polarion maintains the full ISO 21434 engineering evidence chain: Threat Analysis and Risk Assessment → cybersecurity goals → cybersecurity requirements → design → verification → validation → release → post-development monitoring. Each link is traceable and exportable for type approval audit and notified body review.
- 04
Safety-security co-engineering with ISO 26262
Polarion maintains both cybersecurity requirements (ISO 21434 SL) and functional safety requirements (ISO 26262 ASIL) in the same traceability thread. Security patches to safety-relevant ECU functions are assessed against ASIL ratings before release — the co-engineering evidence UN R155 and the EU Machinery Regulation require.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.
Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.
Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
The most common automotive engineering objections — answered
"We already have TARA in our process."
TARA as a document is not the same as TARA linked to vulnerability intelligence. ISO 21434 and UN R155 require continuous TARA updates as new CVEs emerge post-production. X-DLM™ links Black Duck vulnerability findings directly to TARA assets in Polarion — every new CVE recalculates risk ratings and triggers governed response workflows automatically.
"Our suppliers provide SBOMs — that's their responsibility."
Supplier SBOMs cover what suppliers declare. Black Duck binary scanning of ECU firmware reveals what suppliers actually shipped — including undisclosed open-source components, outdated libraries, and vulnerabilities not in the supplier's SBOM. UN R155 makes the OEM responsible for what is in the vehicle, not what the supplier documented.
From ECU firmware binary to type-approval-ready TARA evidence.
Continuous. Linked. Automatically updated for the lifetime of the vehicle.
See how X-DLM™ integrates Black Duck ECU binary scanning with Siemens Polarion's ISO 21434 lifecycle management to produce continuous TARA-linked vulnerability governance, firmware SBOM data, supply chain security evidence, and type-approval-ready documentation.