Software Assurance            Software Hardening            Autonomic Computing

VDC finds IoT fueling faster software development but with greater requirements for security protection


VDC’s recent report “Software Assembly Practices Necessitate More Precautions” highlights a significant software challenge for IoT device manufacturers. A majority of embedded device developers are working on projects with an IoT component, and seeing a rising interest in IoT applications in the future. However, the current state of built-in security precautions is lacking. New approaches are recommended in the report to help improve the outcomes of future projects.


Changing market demands mean new approaches are needed

Process standards (e.g. ISO 26262) are here to stay and are becoming a norm for many embedded developers. Developers are also reporting that they are changing strategies with the use of tools, reusing their own code and incorporating third-party code in order to meet these new market demands.

VDC reports that embedded developers are incapable of keeping up to new market demands with in-house coding. To increase productivity, quality, and security, teams are re-using existing code and turning to third-party code. A majority of this code is commercial off the shelf (COTS) software and roughly a quarter is open-source. This is a trend we’ve noticed and discussed in previous posts and although there are clear benefits, caution is required when integrating outside source.

Security is important but not enough is being done

A clear concern expressed in VDC's finding is that although a significant majority of developers agree that security was important to their product, 24% reported that no extra precautions were taken (see the graph below, with another 8% not sure if there was or not!). In short, security in embedded products is evolving but still has a long way to go. 


Figure 1: Graph showing percentage of each type of response developers have taken to mitigate a security threat. 

Recommendations align with our security-first methodology

Suffice it to say VDC’s recommendations align with ours completely. Although progress is being made and strategies are changing over time, there’s still a lot to do to improve embedded development. Security, in particular, is a concern, and recent events have illustrated the growing pains of IoT.

GrammaTech continues to encourage better software practices, providing tools and strategies to help mitigate security risks. Improving security, quality, and productivity with automated tools like advanced static analysis, is key to success.