The new norm in the world of computing is code reuse, much of it proprietary third party or open source. Due to pressures of the market to produce software as fast as possible and at a low cost, many programmers are not doing what even a few years ago would be normal: writing their own original source code.
The pressure to instead use software developed elsewhere is intense. According to a survey of developers in 2014 by Venture Development Corp., the size of embedded code base alone is increasing at roughly three times the rate of the number of embedded software developers being hired. Where the number of software engineers available is expected to rise 9.6 percent through 2016, the expected code base growth is estimated to grow by 18.6 percent over the same period. Overall, embedded developers included in VDC’s 2014 survey said 51.1 percent of their project budgets were spent on software, versus 41.8 percent in 2012. Equally telling, respondents indicated that 51 percent of the end product value in 2014 was produced by the software versus 35.8 percent in 2012.
“Companies we surveyed said that they simply cannot keep pace in the embedded space with developers alone,” said Andre Girard, Senior Analyst at VDC. ”More than 40% of the developers in our survey reported their projects are running behind schedule.”
To deal with the disparity, embedded companies are currently using third party software in 44 percent of their designs. “Overall, 40.5% of respondents in medical device manufacturing, 28.6% in aerospace and defense, and 22.2% in auto and rail all expected to see an increase in commercial and other third-party code,” he said.
Mahshad Koohgoli, Chief Technology Officer at Protecode believes that in the larger programming environment outside of embedded device markets, the trend is even more pervasive, pointing to a recent Gartner study predicting that by 2017, ninety-five percent of companies will be using open source and third party software.
“Given such pressures, companies and their developers would be stupid not to take advantage of all the software code and IP building blocks openly available, and of all of the sources by which it can be obtained to speed up their designs.”
Koohgoli’s company offers a software audit service. Based on Protecode’s auditing of more than a million software files belonging to close to a hundred or more companies, it is his view that the reuse of code is on the increase. “Just looking at the audit results in the last two years, we have seen between 30% to 90% of the files were, or contained, open source software,” he said.
“The advent of tools such as NPM, Composer, Grunt, and Nugget, as well as the rise of GitHub as a major player in the open source community, give a good indication that developers are re-using code. These tools provide an easy way for developers to incorporate OSS within their own code with little effort – reusing existing modules instead of coding from scratch.”
Very soon, if work by a Rice University-led team of software experts proves out, dependence on already available third-party software will be even easier and more pervasive. The university team is creating a data mining engine that will use a repository database of open software on the Web that can be used in a manner similar to the autocomplete or autocorrect function in a word processor. Their aim: a system where the programmer writes a few of lines of code, hits a button and the rest of the code appears.
Given the wealth of outside-developed software resources available, Girard said that when VDC analyzed the results of a survey of about 500 embedded engineers and software developers in 2014, they expected that trends among embedded developers in relation to the use of third party code would follow industry trends. But what they did not expect is how few embedded software developers were using readily available tools to check that code.
Girard said that according to its survey, only 7.4 percent of embedded developers use binary code analysis, 27.9 percent used static source code analysis, requirements management (22.8%), and modeling tools (14.8%).
According to Paul Anderson, Vice President of Engineering at GrammaTech Inc., this trend toward more use of third party software, both open source and proprietary, presents all sorts of code quality, reliability and security problems. “What we are looking at in some cases is a quagmire of diverse code sources: a company’s own source and object code, externally obtained binary executable code, legacy code that is years out of date, purchased software IP, and software blocks that should work together but do not because of mismatched versioning.”
The code that is gathered comes with varying degrees of trust levels. “On the one hand, much of the external third-party purchased code in either binary executable or source form is probably trustworthy, because a company can go back to the people from whom they obtained it if something goes wrong and get a fix – or take legal action,” he said. ”And while a lot of the open source software comes from reputable groups, it all comes down ultimately to who you can trust, not only that they are delivering high quality code, but that it does not have some sort of security holes that can be exploited.”
According to Bill Weinberg, senior director, Open Source Strategy, Black Duck Software, even if each code block that a developer uses, or reuses, comes up clean, there is the additional problem of making all the software mesh. “It is a fact of life in software development that if you write your code tightly, with no ambiguities and extraneous code, a hacker will have less chance of establishing a beachhead.”