State of Aerospace & Defense Software Development Survey

State of Aerospace & Defense Software Development Survey Results

Klocwork by Perforce © 2019 Perforce Software, Inc. All trademarks and www.perforce.com registered trademarks are the property of their respective owners. State of Aerospace & Defense Software Development Survey Results Introduction

Welcome to the 2020 State of Aerospace & Defense Software Development.

We’re excited to bring you the results of the 2020 State of Aerospace & Defense Software Development Survey.

This year, we surveyed over 300 professionals working in the aerospace and defense industry. They shared their top concerns in aerospace and defense software development today. And, they shed some light on the impact of new trends (Cloud based technologies) and longstanding requirements (IEC 61508).

We hope this information will help your development team innovate faster and improve quality — while maintaining compliance.

Thank you to everyone who participated in the survey!

Tim Russell

Chief Product Officer, Perforce

4 Survey Highlights

What Causes Aerospace and Defense Software 4 Developers the Most Stress

How Much Are Developers Really Affected 9 by Cloud-based Technologies (and AI)?

Compliance Continues to be Central 12 to Development

16 How Development Teams Manage Their Work 20 About the Survey

Survey Highlights

Security Is Imperative.

Cloud-based Technology Development Is Important (But Not Everyone Is Focused On It).

Industry and Safety Standards Are a Requirement — But Fulfilling Them Is a Challenge.

The Threat of Cyberattack Looms Large.

A Majority of Teams Are Leveraging Agile and Model-driven Development.

What Causes Aerospace and Defense Software Developers the Most Stress

Software has become more and more essential to aerospace and defense development. And teams building that software have plenty to be concerned about.

Here are the top concerns from the software development professionals we surveyed:

WHAT IS YOUR BIGGEST CONCERN IN DEFENSE SOFTWARE AND TECHNOLOGY DEVELOPMENT TODAY?

15% 1% Other Team Productivity 25% Quality

8% Testing

14% Safety

37% Security

#1 Concern: Security

37% of those we surveyed cite security as their top concern in aerospace and defense software development. The biggest security concern is unauthorized access to onboard/offboard systems (cited by 31% of those concerned with security). And, development teams have good reason to be concerned. As the number of cyberattacks against passenger air travel has increased by more than 15,000% between 2017 and 2018, according to a Netscout study.

WHICH BEST DESCRIBES YOUR SECURITY CONCERNS?

23% Security testing takes too much 31% time — it slo ws down development .

26% 20% Our development team lacks the skills needed to combat security threats.

Other teams expressed concerns with their development team lacking the skills needed to combat security threats (26%) and that security testing takes too much time (23%). The smallest group expressed concerns about the difficulties with enforcing secure coding practices (20%).

Using the right tools helps to ensure secure coding practices and keeps software safe from security risks.

Resource: Intro to Secure Coding Standards >>

#2 Concern: Quality

Quality is the top concern for 25% of those we surveyed. Aerospace and defense software is expected to be high quality as well as provide maximum functionality. This puts development teams under pressure to deliver innovative technology in shorter development cycles.

36% of participants concerned with quality responded that their testing efforts are not exhaustive. And, it’s difficult to enforce coding best practices (28%) This can compromise quality.

Code that is considered to be high quality should be the foundation of any project and be emphasized early in development. Development tools, such as version control and static code analysis, can improve code quality.

WHICH BEST DESCRIBES YOUR QUALITY CONCERNS?

17% Our codebase 36% is too complex.

28%

19% Peer code reviews are inconsistent.

A few team members expressed concern with ensuring quality in a complex codebase (17%) — likely filled with legacy code or open source code. And, a handful mentioned struggles with peer code reviews (19%).

#3 Concern: Team Productivity

14% of those surveyed are most concerned about team productivity. Their top concern is that it’s difficult to keep code reviews on schedule (34%). Managing design and IP assets across hardware and software teams was also cited as a major challenge (33% of those concerned with team productivity).

WHICH BEST DESCRIBES YOUR TEAM PRODUCTIVITY CONCERNS?

25% 33%

34%

Using the right version control tool can help you improve productivity across teams. You can use it to manage and share digital assets across teams — while securing IP.

Resource: How Version Control Helps Manage Assets and IP >>

#4 Concern: Safety

14% of those we surveyed are most concerned about safety. The majority of those surveyed cited how difficult and time-consuming it is to fulfill functional safety requirements, like IEC 61508 (31%).

IEC 61508 is a complex functional safety standard, and proving that your software is compliant with it can be a challenge. In fact, 27% of those surveyed cited tool qualification for compliance takes too long. And, ensuring safety across the supply chain (22%) was the third most cited challenge while complying with a coding standard to meet customer expectations was the fourth (21%).

WHICH BEST DESCRIBES YOUR SAFETY CONCERNS?

22% We're struggling to 31% ensure safety across the supply chain.

27%

20% Our customers expect us to comply with a coding standard.

How Much Are Developers Really Affected by Cloud-based Technologies (and AI)?

Not All Developers Have Their Heads in the Cloud

Those we surveyed say their product design is most impacted by Cloud-based technologies. Cloud-based technologies are often characterized by their flexibility, efficiency, and functionality. As aerospace and defense manufacturing processes are time-consuming and complex, using cloud-based technologies provide the industry with several strong benefits.

TO WHAT DEGREE HAS CLOUD CONNECTIVITY IMPACTED YOUR PRODUCT DESIGN?

28% 28% Not at all — Extensively — we're not we're focused working on on Cloud-based Cloud-related technologies. technologies.

44% Somewhat — we're using some Cloud-based technologies.

Of those surveyed:

• 44% are working on some Cloud-based technologies.

• 28% are working extensively on Cloud-based technologies.

Surprisingly, 28% responded that they are not working on Cloud-related technologies. However, that is likely to change as more aerospace and defense manufacturers are adopting cloud computing to improve security and increase production efficiency.

AI and Machine Learning Not Widely Adopted

AI and machine learning deliver advantages to development teams. And, while leveraging AI and machine learning has the potential to transform aerospace and defense, it is not being widely adopted.

Most of those we surveyed said AI and machine learning are impacting product design:

• 37% are using AI and/or machine learning for some development.

• 23% are using AI and/or machine learning to drive innovation in development.

TO WHAT DEGREE HAS MACHINE LEARNING IMPACTED YOUR PRODUCT DESIGN?

23% Extensively — 40% we're focused Not at all — on Cloud-based we're not using technologies. AI and/or machine learning today.

37% Somewhat — we're using AI and/or machine learning for some development.

40%, however, are not using AI or machine learning today. Yet, there is opportunity for these teams to leverage AI and machine learning in their development processes.

Resource [Produvia]: Artificial Intelligence (AI) in Aerospace >>

Autonomous Vehicles Are Still Making Their Way Off The Ground

It may be some time before autonomous vehicles are here. A significant amount of development teams are not focusing on autonomous components.

TO WHAT DEGREE HAVE AUTONOMOUS VEHICLES/ROBOTS IMPACTED YOUR PRODUCT DESIGN?

14% Extensively — we're focused on designing a fully autonomous vehicles/robots.

48% Not at all — we're not working on autonmous vehicles/robots today.

38% Somewhat — we're working on some autonmous components.

A little over half of those who responded to the survey are working on autonomous components.

• 38% are working on some autonomous components.

• 14% are focused on designing a fully autonomous vehicles/robots.

That leaves 48% who are not working on autonomous components today. This may change as the associated technology continuous to progress.

Concerns About Cloud-based Technologies

The development professionals we surveyed have some concerns about Cloud-based technologies.

WHAT IS YOUR BIGGEST DEVELOPMENT CONCERN WITH CLOUD-CONNECTED TECHNOLOGIES?

3% 10% 15% Other Development Safety — complying costs — keeping with regulations. them under control.

11%

56% Security — avoiding cyberattacks.

The top concern for the software development professionals that we surveyed is security (56%). This is followed by 20% who are concerned with development costs and 11% are worried about delivering innovative software on time. Only 10% cited safety as a top concern.

Compliance Continues to be Central to Development

The aerospace and defense industries are highly regulated. Complying with those regulations is central to ensuring that aerospace and defense vehicles are safe and reliable.

Common aerospace and defense standards include both functional safety and coding standards.

Industry and Coding Standards Remain Important

Those that we surveyed wrote in several standards that they were required to comply with, but the most common standard was IEC 61508, an international functional safety standard. IEC 61508 is titled “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems” and is the basis for ISO 26262 — Automotive, IEC 62061 — Machinery, IEC 62304 — Medical Device, IEC 60880 — Nuclear, and EN 50128 — Railway.

A majority of those we surveyed — 76% — are required to comply with at least one security, quality, or functional safety standard.

ARE YOU REQUIRED TO COMPLY WHY DO YOU NEED TO COMPLY WITH ANY SECURITY, QUALITY, WITH ANY SECURITY, QUALITY, OR FUNCTIONAL SAFETY OR FUNCTIONAL SAFETY STANDARDS? STANDARDS?

2% Other 24% 18% No Market requirement 26% Internal requirement

76% Yes 54% Government Customer requirement

For those who need to comply with a security, quality, and/or functional safety standard:

• 54% need to comply due to a government/customer requirement.

• 26% have an internal requirement.

• 18% need to comply due to a market requirement.

What They Struggle to Prove

Proving compliance with any security, quality, and/or functional safety standard can be a challenge.

Most of those surveyed (28%) struggle to fulfill safety requirements — and prove that those requirements have been fulfilled.

WHAT IS YOUR BIGGEST CHALLENGE IN PROVING COMPLIANCE?

1% Other 24% 15% Enforcing coding Team standards. Productivity

16%

28%

8% Showing design history.

Others struggle with enforcing coding standards (24%). And some struggle with analyzing risk (22%), documenting versions of files and assets (16%), and showing design history (8%).

Fortunately, static code analysis tools — like Helix QAC and Klocwork — are independently certified by TÜV SÜD for use in safety related software development projects.

Most Use Coding Standards

79% of those surveyed are using a coding standard. The use of a coding standard is important for ensuring safe, secure, and reliable code. It is highly recommended and — for some aerospace and defense software developers — a customer requirement.

DOES YOUR TEAM USE A CODING WHICH CODING STANDARD(S) DO STANDARD TODAY? YOU PRIMARILY USE?

21% No 27% 31% C++ Core Other Guidelines

4% JSF AV C++ 11% DISA STIG 79% Yes 12% CERT 15% High Integrity C++

Which Coding Standards Do They Use?

Many teams are using multiple coding standards.

• 31% use Other (which was most often their own internal standards).

• 27% use C++ Core Guidelines

• 15% use High Integrity C++

• 12% use CERT.

• 11% use DISA STIG.

• 4% use JSF AV C++

Resource: How to Choose a Coding Standard

How Development Teams Manage Their Work

Most Use C++ and Java Programming Languages

Most software developers working in the aerospace and defense industry are using C++ and Java. C++ is one the most popular programming languages for embedded development. While Java is one of the most popular programming languages because of its portability and scalability.

There are some teams who are using C# and C. And, there were several write-ins for Python and JavaScript.

WHICH PROGRAMMING LANGUAGE(S) DOES YOUR TEAM CURRENTLY USE?

8% C 24% Other

27% C++

18% C#

23% Java

Many Teams Leverage Faster Methods and Processes

Many development teams are adopting methods and processes that will help them develop quality software faster. And, Agile development is the top method utilized across those we surveyed.

WHICH DEVELOPMENT METHODS AND PROCESSES ARE YOU PRIMARILY USING TODAY?

3% 7% Other Waterfall development 20% Model-driven development

43% Agile development 17% Test-driven development 10% Automatic code generation

Far more development teams are using Agile development processes over traditional Waterfall development. This makes sense, as aerospace and defense development shifts from hardware to software — and software development teams aim to maximize productivity.

Resource: Switching to Agile ALM >>

How Hardware and Software Teams Work Together

The aerospace and defense industry are steadily shifting from hardware to software. And, it is important that development teams can manage both hardware and software design, and code assets. That shift can lead to some challenges.

WHAT IS YOUR SINGLE BEST CHALLENGE IN MANAGING HARDWARE AND SOFTWARE DESIGN AND CODE ASSETS?

2% 23% Other 28% Management of multiple variants/releases of technology components

21% 26% Team working Integration with from distributed egineering tools locations (design/test)

Collaborating across teams is difficult — and distributed teams make it even more complicated. In addition, it becomes even more of a challenge when multiple variants of all the technology components involved — hardware and software — need to be properly managed. Using the right version control software can help these teams solve these challenges and unite global teams.

Resource: Solve Top Challenges For Hardware/Software Teams >>

The Right Development Perforce offers development tools in each of these key areas: Tools Improve Quality • Hansoft is an Agile project management tool As the aerospace and defense industry evolves and trusted by global leaders across a variety of the role of software expands, development teams industries, including aerospace, automotive, will need to innovate in order to stay competitive. and electronics. At the same time, they cannot lose sight of security, • Helix Core is the best version control quality, and safety. tool for large global teams with complex development needs.

Which Tools They’re Using • Helix ALM is an application lifecycle manage- Using the right development tools is the key to ment tool that helps teams document that success. The top tools for those we surveyed are: requirements have been fulfilled, tests have been run, and bugs have been resolved. • Version control (28%). • Klocwork is one of the most trusted static • Project management (17%). code analyzers for aerospace and defense • Application lifecycle management software developers that need to ensure that (requirement/test/issue management) (15%). their code is safe and secure.

• Dynamic analysis (13%). • Helix QAC is the most accurate code analyzer for C and C++, and it’s certified for • Automated/continuous testing (11%). functional safety compliance by SGS-TÜV, • Static code analysis (10%). including IEC 61508, ISO 26262, EN 50128, • Other (5%). IEC 60880, and IEC 62304.

WHERE HAVE THESE TOOLS HELPED YOU THE MOST?

13% 8% Reduced costs Accelerated indevelopment. time-to-market.

18%

39%

22% Eliminated risk (safety/security).

Why Static Analysis security checkers. Klocwork also features built- in security reports based on the latest security Should Be The Top coding standards — such as MISRA, CERT, CWE, Tool For Aerospace DISA STIG, and OWASP. What’s more, Klocwork has been independently certified by TÜV SÜD for and Defense Software use in functional safety software development. By Developers using Klocwork, development teams can easily comply with tool qualifications for airborne and A static analysis tool ensures secure, safe, and ground-based systems and software — such as reliable software, which is essential for aerospace DO-178C/DO-330. and defense development. By using a static analyzer, aerospace and defense software Klocwork has been designed to fully support the development teams are able to efficiently DevOps cycle. It does this by easily scaling to demonstrate compliance to both safety and projects of any size, and effectively supporting security coding guidelines. In addition, static Agile development and lifecycle management. analyzers are able to remove issues prior to What’s more, Klocwork integrates with testing, which helps ensure that teams can keep continuous integration and continuous delivery costs down and avoid time wasted on correcting pipelines to accelerate development times by coding errors. For that reason, choosing the right reducing analysis result bottlenecks. static code analysis tool is important. (See why Raytheon chose Klocwork.) HOW KLOCWORK PERFORMS Based upon the responses to the survey, the central concern across multiple areas of aerospace and defense development is security. Have comments or suggestions for next year’s One of the most effective methods to mitigate report? Share with us by emailing [email protected] the potential of a cybercriminal exploiting with subject line “Aerospace & Defense Software vulnerabilities in source code is to examine it Dev 2020”. with a static analyzer — specifically Klocwork.

Klocwork is a modern, Agile static code analyzer About the Survey that uses a sophisticated automatic analysis We surveyed over 300 professionals working in to examine the source code for hundreds of aerospace and defense software development in potential security vulnerabilities. It features built- September 2019. Participants represent a range of experience. However, a majority are veterans in checkers that automatically examine the source of the aerospace and defense industry. Those code for hundreds of coding violations. who participated in the survey work primarily for third-party contractors or outsourced. Their The static analyzer also includes Klocwork teams produce a range of aerospace and defense Checker Studio, which enables development products, ranging from general software to embedded software to aerospace components. teams to quickly and easily create customized