VDC finds IoT fueling faster software development but with greater requirements for security protection

November 18, 2016 Bill Graham

INTRODUCTION:

VDC’s recent report “Software Assembly Practices Necessitate More Precautions” highlights a significant software challenge for IoT device manufacturers. A majority of embedded device developers are working on projects with an IoT component, and seeing a rising interest in IoT applications in the future. However, the current state of built-in security precautions is lacking. New approaches are recommended in the report to help improve the outcomes of future projects.

Related:

Changing market demands mean new approaches are needed

Process standards (e.g. ISO 26262) are here to stay and are becoming a norm for many embedded developers. Developers are also reporting that they are changing strategies with the use of tools, reusing their own code and incorporating third-party code in order to meet these new market demands.

VDC reports that embedded developers are incapable of keeping up to new market demands with in-house coding. To increase productivity, quality, and security, teams are re-using existing code and turning to third-party code. A majority of this code is commercial off the shelf (COTS) software and roughly a quarter is open-source. This is a trend we’ve noticed and discussed in previous posts and although there are clear benefits, caution is required when integrating outside source.

Security is important but not enough is being done

A clear concern expressed in VDC's finding is that although a significant majority of developers agree that security was important to their product, 24% reported that no extra precautions were taken (see the graph below, with another 8% not sure if there was or not!). In short, security in embedded products is evolving but still has a long way to go. 

VDC_security_graph.jpg

Recommendations align with our security-first methodology

Suffice it to say VDC’s recommendations align with ours completely. Although progress is being made and strategies are changing over time, there’s still a lot to do to improve embedded development. Security, in particular, is a concern, and recent events have illustrated the growing pains of IoT.

GrammaTech continues to encourage better software practices, providing tools and strategies to help mitigate security risks. Improving security, quality, and productivity with automated tools like advanced static analysis, is key to success.

Previous Document
A Four-Step Guide to Security Assurance for IoT Devices
A Four-Step Guide to Security Assurance for IoT Devices

Next Article
What is Taint Checking?
What is Taint Checking?

Taint checking? This isn't a trap, I promise. It sounds vulgar, but its etymology is...