Do your products contain code from the following sources?

Globally distributed development teams

Third-party software vendors

95%
94%

An outsourced development team

Open source providers

92%
92%

What kind of software is your firm currently producing? Web-based applications 61%

Consumer software
B2B enterprise software 49%

55%

Embedded software
Cloud-based applications

47%
45%

Which of the following most closely reflects your job function? Software developer Development manager Software quality assurance (including testing) Program manager Software architect Business decision-maker and executives Product manager Line-of-business manager or executives Security testing or security auditing 42% 18% 11% 8% 7% 5% 5% 2% 2%

Rank the top items that are driving your quality related initiatives

Market leadership Operational excellence Security initiatives Process standardization Improved supply chain management Compliance management: regulatory standards Cost reduction Application modernization Compliance management: internal coding standards Efficiency-related objectives Dont know Were not pursuing these initiatives CMMITQM Competitive pressure

19%
15% 13% 11% 7% 7% 7%

5%
4% 3% 3% 3% 2% 2%

Which of the following are most impacted by software code defects for code produced internally? Customer satisfaction Product release schedule/time-to-market Brand image Company revenues Product uptime Don't have an opinion None of the above 2% 1% 28% 23% 17% 47%
65%

Which of the following factors are incorporated in measuring developer performance (i.e., for bonus, employee evaluation, promotion)?
Customer satisfaction (external or internal customers) Number of critical software flaws left in released code Time-to-market

56%

51%
43% 34% 34% 27%

Average time to remediation for software flaws

Uptime of the application Amount of time testers spent on regression tests Don't know Other

11%
3%

Which of the following factors are incorporated in measuring the success of your development projects?
Customer satisfaction (external or internal customers) Number of escalations due to software defects Reduction in the number of defects from previous release Time-to-market

74%

50%
49% 46% 46% 32%

Number of support calls due to unexpected behaviors

Uptime of the application

Meeting customer SLAs

Reduction of technical debt Don't know Other, please specify

30%
24%

4%
1%

If your developers are being held more accountable today, tell us why
Software issue resulted in a product delay or recall Problems with the software issued impacted my customers satisfaction
Problems with the software introduced a security vulnerability

49% 46% 38% 36% 22% 7%

Software issue damaged my companys brand Software issue impacted my revenue

Dont know

List the top three means your developers use to achieve their job function (Only top selection shown)
Unit testing

36% 21%

Automated functional and performance testing Manual code review

Automated code testing with static analysis Automated security testing

14% 10%
9% 6%

Compliance audits Coding standard audit or review

Manual pen testing

3% 2%

Rank up to top three issues that are most likely to affect the success of a development project
Scope creep: desire for enhancing feature set Rework due to defects discovered late by QA teams Reacting to defects discovered in the field Time-to-market pressure for the business Eliminating bugs found in development Rework created by exploitable security defects discovered by the security or auditing team Inconsistent standards for code quality and security from development to testing Tracking and addressing third-party code defects We have no significant issues that impact the success of our development projects Other, please specify

27% 22%

14%
10% 10% 8% 4% 2% 1% 1%

Do your products contain code from the following sources? We rarely use 1 2 3 4 We use extensively 5 Don't know/We do not use

Globally distributed development teams in your 7% 6% organization

15%
18%

26%
25%

41%
34%

5%
4%

A single in-house development team 6% 14% Open source providers

17%
19% 12% 0%

11%

13%

25%
17% 15% 22% 50%

25%
20% 16% 75%

8% 8%
6% 100%

An outsourced development team

Third-party software vendors

20% 15% 25%

29%

What methods do you use to determine the integrity (i.e., quality, security, and safety) of the software you receive from your:

Software chain providers

Automated testing in QA (e.g., functional testing, load testing, and unit testing) Automated testing in development

In-house-developed 51%
44% 35% 35% 17% 14%

75%
69% 70% 68%

Risk/security/vulnerability assessment
Manual code review We do not use any mechanism Don't know

4%
2% 9%

14%

We do not receive any software from this type of provider/developer

Once the code is integrated into your working product, who is accountable for the following aspects of the software?

My organization is 100% responsible Software supply chain partners are 100% responsible Mix of both options
Security

50%
48%

9%
14%

40%
38%

Quality Safety
0%

48%
25%

11%
50%

41%
75% 100%

How important is it to you to have visibility into the following issues of software supplied by a third party?

Software performance, 11%

Safety defects, 17%

Security vulnerabilities, 29%

Functional capabilities, 21%

Crash-causing defects, 22%

Respondents who believe visibility into third-party code is more important today than a year ago
LOB manager/business decision-maker and executives/product manager Development/program manager Software developer/software architect Software quality assurance/security testing or auditing

67% 56% 37% 36%

Base: 159 Base: 87 Base: 45 Base: 42

Why is visibility into the software supply chain more important today than it was a year ago?
Increased awareness of the importance of quality, safety, and security of supplied code Issues from the supplied software resulted in product delays or recalls Problems with a software provider led to the introduction of security vulnerabilities Problems with a software provider increased my development integration time Issues from the supplied software impacted my revenue Problems with supplied code led to damage of my corporate brand

56% 47%
44%

42% 42% 32%

Which of the following are true for your firm?

We develop commercial software products or services
We do a fair amount of in-house software development as well as outsourcing

57%
56%

We develop the software components for nonsoftware products (e.g., consumer electronics and/or hardware, etc.) We are a software outsourcer or a software platform provider (i.e., our customers may be development shops themselves)

37% 26%

For which industry are you currently developing software? (Please include your own industry if you do in-house development)
Computer hardware (e.g., storage box, networking equipments) Manuf acturing

15% 15%
13%

Financial services
Government Healthcare/lif e sciences Consumer electronics

Communications, media, and entertainment

Mobile Energy Retail

8% 7% 7% 6% 4% 4% 3% 2% 1%

Automotive
Transportation and hospitality

In which country are you based? Germany, 10% France, 11% UK, 10%

Using your best estimate, how many employees work for your firm/organization worldwide? 100 to 499 employees (small to medium), 3% 500 to 999 employees (medium to large), 16% 20,000 or more employees (Global 2000), 33%

US, 59%

Canada, 10%

1,000 to 4,999 employees (large), 28%

5,000 to 19,999 employees (very large), 19%