While some developers still ignore the issue, new findings from VDC Research suggest static analysis is becoming more common in software development lifecycles and teams.
INTRODUCTION:
A recent report from VDC Research entitled “The Global Market for Automated Software & Security Testing Tools” has some good and bad news regarding addressing security in embedded and IoT development. Although the report is not exclusively addressing security or static analysis, it does have some interesting findings in this regard. Primarily, that despite the widespread awareness of security being an issue, an alarming number of developers are not doing enough to address it.
Related:
- How vulnerable are you?
- How Static Analysis Protects Critical Infrastructure from Cyber Threats
- The Global Market for Automated Software and Security Testing Tools
The Good News
The VDC report has lots of good news for static analysis vendors. The market for tools is increasing and most importantly, there is a definite acceptance of the “shift left” philosophy in the marketplace. Software developers are accepting the fact that finding and fixing bugs and security vulnerabilities as early is possible has huge benefits in terms of cost, time and product quality and security. The other good news is that “82.3% of static analysis tools used in the enterprise and IT market, as well as 45.5% in embedded and IoT market, are focused on security.” Clearly, enterprise and IT customers are taking security seriously and making use of modern automation to help reduce the risks they face as illustrated in Exhibit 6, taken from the report. VDC does note that adoption of static analysis is robust in safety critical software development, particularly tools that aid with standards compliance.
Source: The Global Market for Automated Software & Security Testing Tools 2017 – VDC Research
The Bad News
Although the market for automated testing and static analysis tools continues to grow, action lags awareness when it comes to security in embedded and IoT system development. This situation lags the enterprise and IT market significantly. The following quote and associated data from the report (Exhibit 20 and 21, for example) illustrate this point clearly.
“Despite broad awareness of the critical nature of software security, 22.9% of embedded/IoT engineers report their organization is not taking any actions to address potential issues on current projects. “ – Andre Girard, VDC Research
Source: The Global Market for Automated Software & Security Testing Tools 2017 – VDC Research
This is a double-edged sword for vendors such as GrammaTech. There’s opportunity in raising awareness about security, which we publish about often. If this awareness eventually turns into action, then both vendors and security benefit. On the other hand, awareness isn’t converting to adoption as quickly as it should be. Although seemingly self-serving, it is important that embedded and IoT manufacturers take more action on securing their devices.
Other Findings
The VDC report has numerous findings about the automated testing market as a whole. Some interesting points made in the report related to static analysis include the following:
- A general recommendation to include static analysis as part of a automated testing portfolio
- Static analysis tools are often easier to adopt than other automated testing tools making them a good entry point for adoption
- The re-use/use of third party code in embedded projects continues to grow and the adoption of binary static analysis, although initially small, is growing rapidly.
- Agile development and DevOps are increasing the adoption of automated testing tools but highlight the importance of tool usability. Smaller cycles means heavier use of automated tools which, in turn, requires efficient and easy to use tools.
CONCLUSION:
The embedded/IoT development marketplace is making strides in the adoption of automated testing tools. In addition, static analysis is seen as an easy first step into more development automation and this adoption is growing. Unfortunately, despite this growth, security risk mitigation is still not being addressed enough in embedded projects. The encouraging news is that overall, the outlook is positive for vendors and customers as modern methods and techniques spread throughout the industry.
Interested in running advanced static analysis on your code?
Start your free 30-day evaluation of CodeSonar today.
