Recently, Coverity Inc. commissioned the "Software Integrity Risk Report," a study conducted with Forrester Consulting with an eye on quality and the software supply chain. More than 330 software development influencers were surveyed about their policies for managing software quality, security, and safety.
The study confirmed what I have discussed previously -- that third-party code is prevalent in the embedded systems industry, and for good reason. The incorporation of third-party code can reduce costs, maximize development productivity, and speed time-to-market. It's evident that third-party code use is no longer merely a growing trend -- it's the norm.
What is interesting about the report, is that given the extensive use of third-party code, less than 50 percent of the respondents reported that they test third-party code with the same rigor as internally developed code. Furthermore, only 44 percent of respondents said that they conducted automated code testing of third-party code in development, compared to 69 percent who conduct automated code testing of internally developed software. So it's not surprising that more than 40 percent of respondents reported problems with third-party code that resulted in product delays, recalls, security vulnerabilities, an increase in development time, or a curtailment of revenue.
Simply put, companies are not holding third-party software to the same level of accountability as internally developed software, and that carries a large risk. When you think about the reasons companies leverage third-party code, these same benefits are being compromised from software defects in the exact same code.
This doesn't mean that development teams aren't doing their job. Instead, these results emphasize the need to extend software integrity standards across all suppliers, internal and external. Developer testing, including technologies such as static analysis, should be a part of those standards.
Static analysis is a cost-effective, automated, and repeatable way to ensure the quality of software. Applied across the software supply chain, it affords businesses an insight into the integrity of code, both in-house and third-party.