Black Duck’s 2025 embedded software report shows a sector being reshaped by rapid AI adoption, weak governance, and the rise of SBOMs as a commercial requirement. It also highlights a growing gap between management optimism and engineering reality, alongside a shift toward memory-safe languages and stricter supply-chain and compliance expectations. #BlackDuck #SBOM #Censuswide #MISRA #CERTC #ISO26262 #ISOSAE21434 #EUCyberResilienceAct
Keypoints
- This annual report typically opens with the scale of industry change, then moves into executive summary findings, AI adoption and governance, software supply chain maturity, workforce/process challenges, recommendations, and an appendix with survey questions and demographics.
- The report is based on a June 2025 survey by Censuswide of 785 embedded software professionals, with 16 questions used to capture trends across development, security, compliance, and business priorities.
- The main story is the rapid spread of AI in embedded development: 89.3% of companies use AI coding assistants, and 96.1% are building open source AI models into products.
- Shadow AI is already present in 18% of companies, showing that policy enforcement is lagging behind real-world developer behavior.
- Governance remains weak compared with adoption: 21.1% are not sure AI-generated code is safe, and 19.1% are not confident they can manage open source license risks from AI-generated code.
- There is a major confidence gap between embedded engineers and product security teams, especially around AI-related IP and license obligations; more than 44% of engineers feel unequipped, versus about 14% in product security.
- Software supply chain management has become mainstream: SCA is now standard practice, often applied at every stage of the pipeline.
- SBOMs are moving from compliance artifact to business requirement, with 70.8% of organizations required to produce one and customer or partner requirements the leading driver at 39.4%.
- More than half of companies scan for license obligations in both main components (51.0%) and code snippets (54.4%), reflecting tighter scrutiny of open source usage.
- Memory-safe languages are gaining momentum: 80.4% of companies have adopted them, with 42.8% already using them on new projects and transitioning existing C++ projects.
- Despite technical progress, delivery pressure remains intense: nearly 40% of respondents say they sometimes compromise quality to meet deadlines.
- Perception gaps are substantial across leadership and engineering: over 85% of VPs and directors are optimistic about on-time, on-quality releases, while only 64% of hands-on developers agree.
- At the CTO level, 86% say projects are successful, compared with only 56% of hands-on embedded software engineers, underscoring a widespread management/engineering disconnect.
- The biggest defect-related concern is potential safety or environmental impact at 19.62%, showing that quality failures are viewed not just as technical issues but as real-world risk.
- The most common challenge to eliminating defects is software/hardware/system complexity at 18.73%, followed by insufficient testing/tools and lack of secure coding skills.
- No single external standard dominates compliance; internal coding standards are the most common authority at 22.2%, ahead of CERT C/C++/Java, MISRA C/C++, ISO 26262, and ISO/SAE 21434.
- The report’s recurring themes are the need for stronger AI governance, deeper supply-chain transparency, expanded use of secure development tooling, and better alignment between leadership expectations and engineering reality.
- The overall takeaway is that embedded software is becoming more regulated, more AI-driven, and more dependent on provable provenance, accurate SBOMs, and memory-safe development practices.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)