Software Assurance            Software Hardening            Autonomic Computing

VDC Research Report Finds Static Analysis Gaining Ground in Security


While some developers still ignore the issue, new findings from VDC Research suggest static analysis is becoming more common in software development lifecycles and teams.

Screen Shot 2017-12-11 at 9.34.17 AM.png

INTRODUCTION:

A recent report from VDC Research entitled “The Global Market for Automated Software & Security Testing Tools” has some good and bad news regarding addressing security in embedded and IoT development. Although the report is not exclusively addressing security or static analysis, it does have some interesting findings in this regard. Primarily, that despite the widespread awareness of security being an issue, an alarming number of developers are not doing enough to address it.

Related:


The Good News

The VDC report has lots of good news for static analysis vendors. The market for tools is increasing and most importantly, there is a definite acceptance of the “shift left” philosophy in the marketplace. Software developers are accepting the fact that finding and fixing bugs and security vulnerabilities as early is possible has huge benefits in terms of cost, time and product quality and security. The other good news is that "82.3% of static analysis tools used in the enterprise and IT market, as well as 45.5% in embedded and IoT market, are focused on security.” Clearly, enterprise and IT customers are taking security seriously and making use of modern automation to help reduce the risks they face as illustrated in Exhibit 6, taken from the report. VDC does note that adoption of static analysis is robust in safety critical software development, particularly tools that aid with standards compliance.

VDC_Blog_120417 by GrammaTech-AG Pic 1.png

Source: The Global Market for Automated Software & Security Testing Tools 2017 - VDC Research

The Bad News

Although the market for automated testing and static analysis tools continues to grow, action lags awareness when it comes to security in embedded and IoT system development. This situation lags the enterprise and IT market significantly. The following quote and associated data from the report (Exhibit 20 and 21, for example) illustrate this point clearly.

Despite broad awareness of the critical nature of software security, 22.9% of embedded/IoT engineers report their organization is not taking any actions to address potential issues on current projects. “ – Andre Girard, VDC Research

 

VDC_Blog_120417 by GrammaTech-AG Pic 2.png

VDC_Blog_120417 by GrammaTech-AG Pic 3.png

Source: The Global Market for Automated Software & Security Testing Tools 2017 - VDC Research

This is a double-edged sword for vendors such as GrammaTech. There’s opportunity in raising awareness about security, which we publish about often. If this awareness eventually turns into action, then both vendors and security benefit. On the other hand, awareness isn’t converting to adoption as quickly as it should be. Although seemingly self-serving, it is important that embedded and IoT manufacturers take more action on securing their devices.

Other Findings

The VDC report has numerous findings about the automated testing market as a whole. Some interesting points made in the report related to static analysis include the following:

  • A general recommendation to include static analysis as part of a automated testing portfolio
  • Static analysis tools are often easier to adopt than other automated testing tools making them a good entry point for adoption
  • The re-use/use of third party code in embedded projects continues to grow and the adoption of binary static analysis, although initially small, is growing rapidly.
  • Agile development and DevOps are increasing the adoption of automated testing tools but highlight the importance of tool usability. Smaller cycles means heavier use of automated tools which, in turn, requires efficient and easy to use tools.

CONCLUSION:

The embedded/IoT development marketplace is making strides in the adoption of automated testing tools. In addition, static analysis is seen as an easy first step into more development automation and this adoption is growing. Unfortunately, despite this growth, security risk mitigation is still not being addressed enough in embedded projects. The encouraging news is that overall, the outlook is positive for vendors and customers as modern methods and techniques spread throughout the industry.


Interested in running advanced static analysis on your code?

Start your free 30-day evaluation of CodeSonar today.