Commercial third party code creating security blind spots

Despite the fact that third party code in IoT projects has grown 17% in the past five years, only 56% of OEMs have formal policies for testing security, a VDC Research reveals.

Meanwhile, when asked to rank the importance of security to current projects, 73.6% of respondents said it was important, very important or critical.

Growing complexity of the software supply chain

For years, the pace of needed innovation outstripped the rate of resource growth within development and QA organizations, making it difficult to keep pace with requirements organically. With organizations no longer able to center their code creation strategy on custom code, a premium has been placed on using content from other sources. With this growing complexity of the software supply chain, security has become a ubiquitous and paramount issue, based on the potential impacts to corporate risk, liability and damage to brand reputation.

“With more complex software supply chains becoming the norm, organizations are leaning on these third party assets to accelerate their internal software development, which creates security blind spots,” said Chris Rommel, EVP, IoT & Industrial Technology for VDC Research.

“With standards such as IEC 62443 requiring increased security of IoT devices, new testing capabilities are needed to address these software creation changes to ensure code quality and minimize risk.”

Commercial third party code sources posing security risks

IoT developers are drawing from a vast pool of third party code sources, each bringing its own potential IP and security baggage. The following key findings from the survey illustrate these trends and the risks they pose:

• Commercial third party code use in IoT projects grew 17% from 2015 to 2020, with in-house developed code dropping from 55.9% to 48.4%
• Security ranks as the second most cited development challenge facing IoT devices, yet only 56% of organizations have formal policies and procedures for testing the security of IoT devices
• Security is now the most important factor (30.3%) in selecting software composition analysis (SCA) tools which were originally developed for auditing IP compliance with licensing agreements
• Organizations using SCA reported using 10% more third party software code (64.2%) in their projects compared to those not using SCA (53.8%)
• SCA users said they were 65% more likely to finish their project ahead of schedule (57%) than those not using SCA (34%)

“Commercial third party code, which is the fastest growing component software within the IoT market, can contain both proprietary and open source components,” said Andy Meyer, CMO for GrammaTech.

“Lack of visibility into this ‘software bill of materials’ poses security and safety risks. With binary software composition analysis, organizations can know exactly what’s inside their applications and address vulnerabilities before releasing new products.”