Software is eating the world wrote Marc Andreessen in The Wall Street Journal on August 20, 2011. Since that time every company in the world has beefed up their software teams and their digital transformation initiatives. Afterall, software is a key competitive advantage, and to survival. 

In the IoT space, we often think about the application software that power industrial systems and consumer connected devices. But what about the embedded software written to control machines or devices that are not typically thought of as computers? This is almost everything, from a small digital watch, e-bikes, electronic control units in cars, microwaves and missile guidance systems.

For insight we turned to Jeffrey Fortin, Head of Product Management, Vector Software. Vector provides automated test tools for embedded software applications in automotive, aerospace, medical devices, industrial controls, rail, and other business critical sectors.

Much of the discussion about software development has centered on mainstream brick-and-mortar companies becoming software companies. They need to be able to compete on software against FAANG (Facebook, Amazon, Apple, Netflix, Google). But this often means competing with better consumer facing applications. Vector focuses on embedded software. What’s at stake for embedded organizations here?

With companies such as Facebook and Apple becoming such a part of our everyday lives, consumers have grown so accustomed to the ease-of-use that these types of companies bring to market in their products. As IoT grows and brick-and-mortar companies are also becoming software companies, this type of user experience has become top of mind, and something that’s now expected by consumers. However, the underlying embedded software within these devices can easily be lost sight of while putting such a big focus on the user experience aspect. 

If an organization was responsible for a safety-critical device that did not previously have software, but now does, organizations must remember that it still has to meet the same safety requirements as before. Just because software has just now been integrated in the product and the organization wants to improve the UX, that does not mean that the safety of the device can be compromised. The quality of the embedded software must be the fundamental focus to ensure consumers are not put at risk.

We all know now that software is eating the world. If you are a manufacturer of electronic devices, but software development is not your core, what do you say to them?

As IoT continues to grow and evolve, there will be new vendors providing applications, middleware, and connected devices to support the thriving ecosystem. This essentially means that many electronic device manufacturers will also now be in the software business.

The problem is that many of these vendors will be new to building embedded software/robust software. This creates an increased importance on software quality, particularly when safety- or performance-critical applications become increasingly dependent on products controlled by software. In these situations, where safety, security or human life is exposed to risk if software fails, I would reiterate to these manufacturers that quality has to be the central focus of software development efforts.

In the IoT ecosystem, a lot of “consumer-grade” software will also find its way onto critical paths in new safety- or performance-critical applications, in large part due to the re-use of legacy code bases. Legacy code often carries an enormous amount of technical debt. Without proper software quality methods in place to ensure the integrity of legacy code, the overall safety of the system could be compromised. 

In summary, quality cannot be installed at the end. Organizations will need to adopt development processes to verify the integrity level of the software is in line with the safety risks of the application.

When it comes to IIoT, what are the trends you are seeing in embedded software and is there a major transition happening in terms of development, testing and quality?

One of the trends I have observed with the growth of IIoT is that product delivery has been flipped. In a traditional model, a product was delivered and remained static. With IoT/IIoT, products are now continuously updated and re-purposed for new functionality or for new business models. With change comes risk, including loss of quality -- and that can put safety at stake, particularly within industrial applications.

Due to this change, there has been a major transition in the way that organizations approach development and testing. For example, many have adopted processes that dramatically improve quality, including software development methodologies such as Change-Based Testing, Continuous Integration and Regression Testing.

Furthermore, as the number of products becoming software-defined grows, software integrity directly relates to brand value. Likewise, as products migrate from consumer-grade use cases to be integrated into mission-critical applications, the quality of the software will determine the value delivered by the products. The chance that faulty software will cause a system failure is now a much greater risk and can result in devastating consequences that not only bring business processes to a halt, but may also harm a company’s reputation. 

As a result, software quality has become an increasingly critical concern in the IoT environment.

Which languages are leading IoT development and what do you recommend to clients?

IoT often leverages scripting languages such as JavaScript, Lua and Node.js. But these languages usually run in conjunction with system software that control the device. The system software is usually written in C or C++. System software forms the foundation for the device and is often required to meet regulatory standards for safety integrity. Our clients who develop this type of software often use C, C++ and also Ada.

The embedded design is key to addressing the need for more secure products in an IoT-enabled world. What are your thoughts on how we make IoT more secure?

With IoT applications, safety can become an issue when security is compromised because these applications power safety-critical products such as automobiles, manufacturing equipment, medical devices and more. Developing secure applications requires constant vigilance in all stages of development. To do so, tools that are capable of detecting possible vulnerabilities when writing code, integrating modules and testing compiled binaries on target hardware should be used.

A commonly used tool for testing software is static application security testing (SAST), which analyzes large amounts of code for common vulnerabilities that could lead to potential security risks. SAST does not execute code, but instead tries to understand what the code is doing behind the scenes to identify errors. However, SAST has been plagued by false-positives, where vulnerabilities are reported but they do not actually exist. Instead, dynamic testing methods can be used to expose security defects in software by confirming exploitability. In this approach, automated software testing methods are used to interrogate an application’s software code and identify possible weaknesses. Once this is complete, a test exploiting the identified issue is generated and executed. After execution, test tools can analyze the execution trace and decide if the potential weakness is actually a genuine threat.

What is your biggest concern when it comes to the Industrial Internet of Things?

The Industrial Internet of Things comprises applications in medical devices, automobiles, avionics, heavy machinery and more. In all of these examples, the quality of the embedded software is under tight scrutiny as safety, security or human life is exposed to risk if the software fails. 

Code correctness forms the basis of a trusted computing platform, and that’s what we at Vector Software are focused on. Every development team needs a comprehensive process in place to achieve application security goals and ensure code correctness before a product goes to market. Our VectorCAST platform provides automated software testing tools that enable the implementation of a complete and automated test infrastructure to ensure improved code quality.

Interoperability testing and protocols are a major part of ensuring that IoT products work. Beyond interoperability, what do you see as the next steps?

At Vector Software, rather than simply testing for interoperability, our focus really lies on integrity testing. In any IoT device, especially in IIoT where safety is a top priority, it is important that the device is not only interoperable with other devices, but it is even more so important to ensure that the software powering these devices is implemented correctly, without fail.

Integrity testing ensures that the code coverage and overall quality of the software itself meet the required safety standards in place. If the software in a car sends a canned message to turn the headlights on, do they actually turn on? Integrity testing ensures that the software is implemented correctly and without errors so that the IoT-enabled device works every time. By doing so, safety is not at risk, and the devices we use in our daily lives can be relied upon.