VDC Research Study Finds Only Half of IoT Projects are Testing for Software Security

Posted on


Yet the Increased Use of Third Party Components in Supply Chains Creates Hidden Attack Vectors


BETHESDA, Md., May 12, 2021 — GrammaTech, a leading provider of application security testing products and software research services, today released the findings from a research survey conducted by VDC Research on the state of software supply chain security testing. Despite the fact that third party code in IoT projects has grown 17% in the past five years, only 56% of OEMs have formal policies for testing security. Meanwhile, when asked to rank the importance of security to current projects, 73.6% of respondents said it was important, very important or critical.    

For years, the pace of needed innovation outstripped the rate of resource growth within development and QA organizations, making it difficult to keep pace with requirements organically. With organizations no longer able to center their code creation strategy on custom code, a premium has been placed on using content from other sources. With this growing complexity of the software supply chain, according to VDC Research, security has become a ubiquitous and paramount issue, based on the potential impacts to corporate risk, liability and damage to brand reputation.                                    

“With more complex software supply chains becoming the norm, organizations are leaning on these third-party assets to accelerate their internal software development, which creates security blind spots,” said Chris Rommel, Executive Vice President, IoT & Industrial Technology for VDC Research. “With standards such as IEC 62443 requiring increased security of IoT devices, new testing capabilities are needed to address these software creation changes to ensure code quality and minimize risk.”

Report Highlights

IoT developers are drawing from a vast pool of third party code sources, each bringing its own potential IP and security baggage. The following key findings from the VDC Research survey illustrate these trends and the risks they pose:

  • Commercial third party code use in IoT projects grew 17% from 2015 to 2020, with in-house developed code dropping from 55.9% to 48.4%
  • Security ranks as the second most cited development challenge facing IoT devices, yet only 56% of organizations have formal policies and procedures for testing the security of IoT devices
  • Security is now the most important factor (30.3%) in selecting software composition analysis (SCA) tools which were originally developed for auditing IP compliance with licensing agreements
  • Organizations using SCA reported using 10% more third party software code (64.2%) in their projects compared to those not using SCA (53.8%)
  • SCA users said they were 65% more likely to finish their project ahead of schedule (57%) than those not using SCA (34%)

“Commercial third-party code, which is the fastest growing component software within the IoT market, can contain both proprietary and open source components,” said Andy Meyer, Chief Marketing Officer for GrammaTech. “Lack of visibility into this ‘software bill of materials’ poses security and safety risks. With binary software composition analysis, organizations can know exactly what’s inside their applications and address vulnerabilities before releasing new products.”

The full report, Finding Sources of Security in the Complex Software Supply Chains of Tomorrow, is available here.

About GrammaTech

GrammaTech is a leading global provider of application security testing (AST) solutions used by the world’s most security conscious organizations to detect, measure, analyze and resolve vulnerabilities for software they develop or use. The company is also a trusted cybersecurity and artificial intelligence research partner for the nation’s civil, defense, and intelligence agencies. GrammaTech has corporate headquarters in Bethesda MD, a Research and Development Center in Ithaca NY, and publishes Shift Left Academy an educational resource for software developers. Visit us at, and follow us on LinkedIn and Twitter.  

CodeSonar® and CodeSentry® are registered trademarks of GrammaTech, Inc.

Interested in trying CodeSonar for yourself?


Related Posts

Check out all of CodeSecure’s resources and stay informed.

view all posts

Book a Demo

We’re ready to help you integrate SAST and SCA security into your DevSecOps flow. Get a personally guided tour of our solution offerings to ensure you are receiving the right solution for your development team. 

book now