Security and safety are afterthoughts in almost a third of embedded systems
A recent survey conducted by the US Barr Group suggests safety and security are not getting the attention they deserve from those designing embedded systems.
The web based survey produced results from 2452 embedded software designers, with 33% of responses coming from engineers based in Europe most in automotive, industrial automation, defense and medical. One of the survey questions asked respondents what was the worst thing that could happen if their system failed, and 22% said their system could kill or injure people if something goes wrong.
If that wasn’t disturbing enough, a significant portion of those same respondents said they were not following basic standards to prevent the problems. Of this respondents 16% admitted they were creating software without working to coding standards, 40% said they weren’t undertaking code reviews and 30% said they weren’t using static analysis.
When asked about test plans, only 59% of respondents said they were using regression tests, with more than 80% saying they used system level tests and 68% applying unit tests. “Regression testing should be close to, if not, 100%,” Girson observed.
The biggest offenders, according to the US Barr Group report are automotive designers.
This problem becomes even more dramatic when security issues are brought to the forefront. More than 50% of respondents are using wireless communications, while 92% said they were designing in one or more wired connections. Of those responding, 61% said security was a design requirement and 50% were making their latest project more secure than the previous one, and in an age where security concerns are high, one might think there would be more concern.
Making security and safety more difficult is the wide range of “attack surfaces” hackers can target. For example, 25% of respondents’ designs have more than four processors, implementing different communications approaches and different operating systems. That makes every project different with its own security approach. There is no universal solution to the problem and acquiring help in addressing it is paramount.