Only half of IoT projects are testing for software security, according to VDC Research in a study for Maryland-based GrammaTech.

This is despite the increased use of third-party components in supply chains creating hidden attack vectors.

GrammaTech provides application security testing products and software research services. It has released the findings from a research survey conducted by VDC Research on the state of software supply chain security testing.

Despite the fact that third-party code in IoT projects has grown 17% in the past five years, only 56% of OEMs have formal policies for testing security. Meanwhile, when asked to rank the importance of security to current projects, 73.6% of respondents said it was important, very important or critical.

For years, the pace of needed innovation outstripped the rate of resource growth within development and QA organisations, making it difficult to keep pace with requirements organically. With organisations no longer able to centre their code creation strategy on custom code, a premium has been placed on using content from other sources.

With this growing complexity of the software supply chain, according to VDC Research, security has become a ubiquitous and paramount issue, based on the potential impacts to corporate risk, liability and damage to brand reputation.

“With more complex software supply chains becoming the norm, organisations are leaning on these third-party assets to accelerate their internal software development, which creates security blind spots,” said Chris Rommel, executive vice president for VDC Research. “With standards such as IEC 62443 requiring increased security of IoT devices, new testing capabilities are needed to address these software creation changes to ensure code quality and minimise risk.”

IoT developers are drawing from a vast pool of third-party code sources, each bringing its own potential IP and security baggage. The following findings from the survey illustrate these trends and the risks they pose:

• Commercial third-party code use in IoT projects grew 17% from 2015 to 2020, with in-house developed code dropping from 55.9% to 48.4%
• Security ranks as the second most cited development challenge facing IoT devices, yet only 56% of organisations have formal policies and procedures for testing the security of IoT devices
• Security is now the most important factor (30.3%) in selecting software composition analysis (SCA) tools which were originally developed for auditing IP compliance with licensing agreements
• Organisations using SCA reported using ten per cent more third-party software code (64.2%) in their projects compared with those not using SCA (53.8%)
• SCA users said they were 65% more likely to finish their project ahead of schedule (57%) than those not using SCA (34%)

“Commercial third-party code, which is the fastest growing component software within the IoT market, can contain both proprietary and open-source components,” said Andy Meyer, chief marketing officer for GrammaTech. “Lack of visibility into this software bill of materials poses security and safety risks. With binary software composition analysis, organisations can know exactly what’s inside their applications and address vulnerabilities before releasing new products.”

GrammaTech provides application security testing used by security conscious organisations to detect, measure, analyse and resolve vulnerabilities for software they develop or use. The company is also a cyber-security and artificial intelligence research partner for the USA’s civil, defence and intelligence agencies. GrammaTech has corporate headquarters in Bethesda, Maryland, and a research and development centre in Ithaca, New York.