Nearly Half of Commercial Third-Party Code in IoT Products is Not Tested Properly

Nearly Half of Commercial Third-Party Code in IoT Products is Not Tested Properly

New research shows that IoT projects dangerously lack security protocols, and security has become a ubiquitous and paramount issue. Despite the fact that the amount of third-party code in IoT projects has gone up 17% in the past several years, only 56% of original equipment manufacturers (OEMs) have testing security policies.

Meanwhile, according to a new VDC Research, when ranking the importance of security to current projects, 73.6% of surveyed organizations said it was important, very important, or critical.

Over the past years, the increased need for innovation and lack of resources within the development and QA organizations forced organizations to rely less on custom code, and more on using content from other sources. ON the other hand, security standards like IEC 62443 require increased security of IoT devices, and organizations need new testing capabilities to address these challenges, ensure code quality, and minimize risks.

“With more complex software supply chains becoming the norm, organizations are leaning on these third party assets to accelerate their internal software development, which creates security blind spots,” said Chris Rommel, EVP, IoT & Industrial Technology for VDC Research.

“With standards such as IEC 62443 requiring increased security of IoT devices, new testing capabilities are needed to address these software creation changes to ensure code quality and minimize risk.”

IoT developers are increasingly relying on third-party code sources, each with its own risks. 

Other key findings from the survey illustrating these trends are as follows:

  • Third-party code in IoT projects grew 17% in 2015-2020
  • Security is the second largest development challenge for IoT devices
  • Only 56% of organizations have protocols for testing the security of IoT devices
  • Security is the top important factor (30.3%) when selecting software composition analysis (SCA) tools
  • Organizations using SCA are 65% more likely to finish their project ahead of schedule than those not using SCA

“Commercial third party code, which is the fastest-growing component software within the IoT market, can contain both proprietary and open source components,” said Andy Meyer, CMO for GrammaTech.

“Lack of visibility into this ‘software bill of materials’ poses security and safety risks. With binary software composition analysis, organizations can know exactly what’s inside their applications and address vulnerabilities before releasing new products.”

Meanwhile, last week, President Biden issue an Executive Order Section 4 of which obliges developers to provide customers with a Software Bill of Materials (SBOM) which is called to lessen the risks presented by the incorporation of open-source materials in commercial software and increase transparency in use of third-party components.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.