The new norm in the world of computing is code reuse, much of it proprietary third party or open source. Due to pressures of the market to produce software as fast as possible and at a low cost, many programmers are not doing what even a few years ago would be normal: writing their own original source code.
The pressure to instead use software developed elsewhere is intense. According to a survey of developers in 2014 by Venture Development Corp., the size of embedded code base alone is increasing at roughly three times the rate of the number of embedded software developers being hired. Where the number of software engineers available is expected to rise 9.6 percent through 2016, the expected code base growth is estimated to grow by 18.6 percent over the same period. Overall, embedded developers included in VDC’s 2014 survey said 51.1 percent of their project budgets were spent on software, versus 41.8 percent in 2012. Equally telling, respondents indicated that 51 percent of the end product value in 2014 was produced by the software versus 35.8 percent in 2012.
“Companies we surveyed said that they simply cannot keep pace in the embedded space with developers alone,” said Andre Girard, Senior Analyst at VDC. ”More than 40% of the developers in our survey reported their projects are running behind schedule.”
Because of software demands and limited manpower resources, about 40 percent of embedded companies report they are behind schedule on software projects.
To deal with the disparity, embedded companies are currently using third party software in 44 percent of their designs. "Overall, 40.5% of respondents in medical device manufacturing, 28.6% in aerospace and defense, and 22.2% in auto and rail all expected to see an increase in commercial and other third-party code," he said.
Mahshad Koohgoli, Chief Technology Officer at Protecode believes that in the larger programming environment outside of embedded device markets, the trend is even more pervasive, pointing to a recent Gartner study predicting that by 2017, ninety-five percent of companies will be using open source and third party software.
“Given such pressures, companies and their developers would be stupid not to take advantage of all the software code and IP building blocks openly available, and of all of the sources by which it can be obtained to speed up their designs.”
Despite the extensive use of third party code in their software, code analysis tools are still not being used widely by embedded developers.
(Source: Venture Development Corp.)
Koohgoli’s company offers a software audit service. Based on Protecode’s auditing of more than a million software files belonging to close to a hundred or more companies, it is his view that the reuse of code is on the increase. “Just looking at the audit results in the last two years, we have seen between 30% to 90% of the files were, or contained, open source software,” he said.
“The advent of tools such as NPM, Composer, Grunt, and Nugget, as well as the rise of GitHub as a major player in the open source community, give a good indication that developers are re-using code. These tools provide an easy way for developers to incorporate OSS within their own code with little effort – reusing existing modules instead of coding from scratch.”
Very soon, if work by a Rice University-led team of software experts proves out, dependence on already available third-party software will be even easier and more pervasive. The university team is creating a data mining engine that will use a repository database of open software on the Web that can be used in a manner similar to the autocomplete or autocorrect function in a word processor. Their aim: a system where the programmer writes a few of lines of code, hits a button and the rest of the code appears.
Given the wealth of outside-developed software resources available, Girard said that when VDC analyzed the results of a survey of about 500 embedded engineers and software developers in 2014, they expected that trends among embedded developers in relation to the use of third party code would follow industry trends. But what they did not expect is how few embedded software developers were using readily available tools to check that code.
Girard said that according to its survey, only 7.4 percent of embedded developers use binary code analysis, 27.9 percent used static source code analysis, requirements management (22.8%), and modeling tools (14.8%).
According to Paul Anderson, Vice President of Engineering at GrammaTech Inc., this trend toward more use of third party software, both open source and proprietary, presents all sorts of code quality, reliability and security problems. “What we are looking at in some cases is a quagmire of diverse code sources: a company’s own source and object code, externally obtained binary executable code, legacy code that is years out of date, purchased software IP, and software blocks that should work together but do not because of mismatched versioning."
The code that is gathered comes with varying degrees of trust levels. “On the one hand, much of the external third-party purchased code in either binary executable or source form is probably trustworthy, because a company can go back to the people from whom they obtained it if something goes wrong and get a fix – or take legal action,” he said. ”And while a lot of the open source software comes from reputable groups, it all comes down ultimately to who you can trust, not only that they are delivering high quality code, but that it does not have some sort of security holes that can be exploited.”
According to Bill Weinberg, senior director, Open Source Strategy, Black Duck Software, even if each code block that a developer uses, or reuses, comes up clean, there is the additional problem of making all the software mesh. “It is a fact of life in software development that if you write your code tightly, with no ambiguities and extraneous code, a hacker will have less chance of establishing a beachhead.”
Much of open source is well-written. But when you bring Code Block A from one source and Code Block B from another together in an application, there will inevitably be places that integration is less than clean. “Companies using the open source code had better expend some resources in programmer time and tool investment to make sure the software product not only has code they can depend on but also meshes seamlessly.”
Even with the wealth of software available for reuse, VDC’s Girard said a company would be foolhardy to go on trust alone and not make the investments to guarantee the software quality in any product it is developing. He said VDC’s recommendation to companies it advises is to make investments in a range of automated test tools, each of which perform important but distinct roles:
- Model-based tools, which can be used for proof-of-concept verification.
- Dynamic test tools, which are valuable for test-driven development and verification, to rigorously exercise software blocks individually and in combination before integration.
- Static analysis tools, which ensure coding consistency between the various blocks imported software either proprietary or open source. (i.e. Green Hills Software, GrammaTech and LDRA.)
- Binary analysis tools, that provide assurance about code safety from third parties when the source code is not available. (i.e., GrammaTech and Black Duck Software)
“Making the investment in additional tools and resources to vet the code, both from original and from external resources, will incur costs up front,” said Jim McElroy, vice president of marketing for LDRA Technology Inc., “but it’ll be less expensive in the long run if it prevents one serious problem down the road where you least need it to happen: in a delivered product.”
"Many organizations use open-source software in applications supporting millions of users’ valuable data," said Dave Hughes, CEO, HCC Embedded. “While open-source providers are usually completely open and transparent about the processes used to develop the software, the responsibility for security and quality is with the developing organization. They must ask if the software they are proposing to use has been developed using an appropriate process – regardless of who developed it.”
Join over 2,000 technical professionals and embedded systems hardware, software, and firmware developers at ESC Silicon Valley July 20-22, 2015 and learn about the latest techniques and tips for reducing time, cost, and complexity in the embedded development process.
Passes for the ESC Silicon Valley 2015 Technical Conference are available at the conference’s official site with discounted advance pricing until July 17, 2015. The Embedded Systems Conference and EE Times are owned by UBM Canon.