Reflections on Embedded World '23

March 30, 2023

Blog

embedded world Exhibition&Conference 2023 ended a week ago and I had some time to reflect on topics and discussions on the exhibit floor. I have a love-hate relationship with tradeshows. On one hand, they are great to speak with a lot of different people from different backgrounds in a short amount of time, and I love doing that. On the other hand, it is a lot of walking and standing about.

This year, I had the benefit of a good pair of shoes and a lot more exercise before the show, so much more love than hate this year at least. There also were a couple of vendors (AWS included) that had robot operated beer-servers, which helped too.

Embedded World is special and certainly is one of my most favourite tradeshows as you can literally one moment have a discussion on security certification of smart cards and small little devices and the next moment have a passionate discussion about software defined vehicles, while somebody else is trying to get your attention to talk about certified graphics in aviation.

One thing that surprised me due to its relative absence is the topic of Software Bill of Material (#SBOM). I had expected more people to know and ask about it, but we ended up doing a lot of education around the need of an accurate SBOM with software that you produce or consume (including a presentation by our Dr Paul Anderson).

Paul, asked, in his presentation in the conference how many people know about SBOMS (only a few people raised their hands) and how many people generate SBOMS (only one person raised a hand). This is surprising, software inventory and software supply chain security are key topics that I had expected people to be more familiar with.

Why? Well, without an SBOM, you are blind as to what foundation you are building your software on. You do not know what components make up this foundation, which means you leave yourself open to both a licensing as well as a security and maintenance nightmare.

This exactly is why the US Federal Government is mandating that its vendors provide an SBOM. GrammaTech supports several agencies in the US Federal Government in generating an SBOM for vendors that do not provide one.

The topic of SBOMs is also a big part of the Cyber Resilience Act that the European Union is working on. And lastly, it is a key artefact to review for automotive (UN R155) and medical (IEC62304) applications.

SBOM will be a major topic at security shows like RSA Conference, which we will attend as well in April, which is why I was a bit surprised that it was not at Embedded World.

One topic that is always at Embedded World is the topic of the MISRA family of coding guidelines, of which GrammaTech is a strong supporter. They help software developers write more maintainable and safer code.

MISRA checking is one of the first steps of writing good code. Doing deep static analysis with abstract execution to search for security issues such as buffer overruns, memory violations and tainted data is important to do on top of MISRA checking. In our booth we spent a lot of time demonstrating how the two differ, and that it is important to cover both sides of the spectrum.

As I said, all in all, a great event, I am very much looking forward to EW 2024 in Nuremberg as well as EW 2024 in the USA.