Black Duck’s new report, "The State of Embedded Software Quality and Safety 2025," presents key findings from a survey of 785 embedded software professionals. The report highlights two major shifts in the embedded software landscape: the widespread adoption—and dangerous lack of governance—of AI tools, and the rise of the software supply chain as a core business function, transforming Software Bills of Materials (SBOMs) into a crucial commercial requirement.

The report also explores the evolving role of embedded developers, the persistent tension between speed and quality, and the fragmented nature of compliance standards among firms engaged in embedded software development. And it offers actionable recommendations for technical leaders, managers, and security and compliance professionals to address the unique challenges of embedded software development. Here are some of the key questions addressed in the report.


How is the AI revolution impacting embedded software development?

A significant 89.3% of companies are already using AI code assistants, and 96.1% are integrating open source AI models directly into their products, often for core functions like data processing, computer vision, and process automation.

However, this rapid adoption is dramatically outpacing governance. Over 21% of organizations are not confident they can prevent AI from injecting flaws or other issues into their code. And 18% are aware of their developers using AI tools against company policy, posing significant unmanaged security, licensing, and IP risk.

Why have SBOMs become a commercial imperative for embedded software?

SBOMs have evolved from a niche compliance concern to a mainstream commercial requirement. Over 70% of organizations involved with embedded software development are now required to produce an SBOM, primarily driven by customer or partner requirements (39.4%), significantly surpassing industry regulation requirements (31.5%). The market is demanding deep transparency into software supply chains, making SBOMs a tool for competitive advantage.

Why is the “manager/engineer reality gap” a significant risk in embedded development?

The "manager/engineer reality gap" refers to a stark perception difference between management and hands-on developers regarding project success and quality. This gap represents a significant source of hidden risk within organizations, as it can mask underlying quality issues and deferred liabilities.

The report shows that 86% of VPs and directors are optimistic about on-time, on-quality releases, only 56% of hands-on developers share that sentiment. The report notes that managers may see a product shipped on time as a win, while engineers are acutely aware of the painful compromises, shortcuts, and technical debt incurred to meet deadlines.

How are embedded developers' skillsets evolving, particularly concerning programming languages?

The job description for an embedded developer is rapidly changing. While C languages remain foundational, there is a clear trend toward the adoption of memory safe languages. A significant 80.4% of companies have already adopted memory safe languages like Rust, Go, C#, Swift, and Python, either for new projects or by transitioning existing C++ projects.

What are the primary concerns of embedded software developers regarding defects and vulnerabilities?

The top concern among respondents regarding software released with defects is the potential “impact on safety or the environment” (19.62%). This response highlights the critical nature of embedded systems, where malfunctions can have serious real-world consequences. Other significant concerns include the cost of patching defects in the field (19.36%), damage to company reputation (17.58%), and loss of intellectual property (16.69%). All these concerns underscore the high stakes involved in embedded software quality and safety.

How are organizations addressing software supply chain risks?

Organizations are adopting a “shift-everywhere” strategy for software supply chain management. Software composition analysis (SCA) is now standard practice, with scans happening at every stage: with every build (39.1%), on every pull request (38.9%), and even within the developer's integrated development environment (IDE) (34.9%).

More than half of all companies (54.4%) are actively scanning for license obligations in code snippets that developers copy and paste into proprietary code. This is crucial because even small pieces of code can carry significant IP and license risks.

More findings from "The State of Embedded Software Quality and Safety 2025" report

Download the full report to learn more about the above findings, as well as

  • The biggest challenges facing embedded developers
  • The impact on testing tool requirements from the fragmented compliance landscape
  • How Black Duck helps embedded software organizations manage security, quality, safety, and compliance risks

Download your complimentary copy of "The State of Embedded Software Quality and Safety 2025" today.

Continue Reading

Explore Topics