Why now is the time for embedded DevSecOps

For embedded systems teams, DevSecOps has traditionally seemed like an approach better suited to SaaS applications than firmware development. But this is changing. Software is now a primary differentiator in hardware products. New market expectations demand modern development practices. In response, organizations are pursuing "embedded DevSecOps."

What is embedded DevSecOps? The application of collaborative engineering practices, integrated toolchains, and automation for building, testing, and securing software to embedded systems development. Embedded DevSecOps includes necessary adaptations for hardware integration.

Convergence of market forces

Three powerful market forces are converging to compel embedded teams to modernize their development practices.

1. The software-defined product revolution

Products once defined primarily by their hardware are now differentiated by their software capabilities. The software-defined vehicle (SDV) market tells a compelling story in this regard. It's projected to grow from $213.5 billion in 2024 to $1.24 trillion by 2030, a massive 34% compound annual growth rate. The software content in these products is growing considerably. By the end of 2025, the average vehicle is expected to contain 650 million lines of code. Traditional embedded development approaches cannot handle this level of software complexity.

2. Hardware virtualization as a technical enabler

Hardware virtualization is a key technical enabler of embedded DevSecOps. Virtual electronic control units (vECUs), cloud-based ARM CPUs, and sophisticated simulation environments are becoming more prevalent. Virtual hardware allows testing that once required physical hardware.

These virtualization technologies provide a foundation for continuous integration (CI). But their value is fully realized only when integrated into an automated workflow. Combined with collaborative development practices and automated pipelines, virtual testing helps teams detect issues much earlier, when fixes are far less expensive. Without embedded DevSecOps practices and tooling to orchestrate these virtual resources, organizations can't capitalize on the virtualization trend.

3. The competitive and economic reality

Three interrelated forces are reshaping the competitive landscape for embedded development:

• The talent war has shifted decisively. As an embedded systems leader at a GitLab customer explained, “No embedded engineers graduating from college today know legacy tools like Perforce. They know Git. These young engineers will work at a company for six months on legacy tools, then quit.” Companies using outdated tools may lose their engineering future.
• This talent advantage translates into competitive superiority. Tech-forward companies that attract top engineers with modern practices achieve remarkable results. For example, in 2024, SpaceX performed more orbital launches than the rest of the world combined. Tech-forward companies excel at software development and embrace a modern development culture. This, among other things, creates efficiencies that legacy companies struggle to match.
• The rising costs of embedded development — driven by long feedback cycles — create an urgent need for embedded DevSecOps. When developers have to wait weeks to test code on hardware test benches, productivity remains inherently low. Engineers lose context and must switch contexts when results arrive. The problem worsens when defects enter the picture. Bugs become more expensive to fix the later they're discovered. Long feedback cycles magnify this problem in embedded systems.

Organizations are adopting embedded DevSecOps to help combat these challenges.

Priority transformation areas

Based on these market forces, forward-thinking embedded systems leaders are implementing embedded DevSecOps in the following ways.

From hardware bottlenecks to continuous testing

Hardware-testing bottlenecks represent one of the most significant constraints in traditional embedded development. These delays create the unfavorable economics described earlier — when developers wait weeks for hardware access, defect costs spiral. Addressing this challenge requires a multifaceted approach including:

• Automating the orchestration of expensive shared hardware test benches among embedded developers
• Integrating both SIL (Software-in-the-Loop) and HIL (Hardware-in-the-Loop) testing into automated CI pipelines
• Standardizing builds with version-controlled environments

Embedded developers can accomplish this with GitLab's On-Premises Device Cloud, a CI/CD component. Through automating the orchestration of firmware tests on virtual and real hardware, teams are better positioned to reduce feedback cycles from weeks to hours. They also can catch more bugs early on in the software development lifecycle.

Automating compliance and security governance

Embedded systems face strict regulatory requirements. Manual compliance processes are unsustainable. Leading organizations are transforming how they comply with these requirements by:

• Replacing manual workflows with automated compliance frameworks
• Integrating specialized functional safety, security, and code quality tools into automated continuous integration pipelines
• Automating approval workflows, enforcing code reviews, and maintaining audit trails
• Configuring compliance frameworks for specific standards like ISO 26262 or DO-178C

This approach enables greater compliance maturity without additional headcount — turning what was once a burden into a competitive advantage. One leading electric vehicle (EV) manufacturer executes 120,000 CI/CD jobs per day with GitLab, many of which include compliance checks. And they can fix and deploy bug fixes to vehicles within an hour of discovery. This level of scale and speed would be extremely difficult without automated compliance workflows.

Enabling collaborative innovation

Historically, for valid business and technical reasons, embedded developers have largely worked alone at their desks. Collaboration has been limited. Innovative organizations break down these barriers by enabling shared code visibility through integrated source control and CI/CD workflows. These modern practices attract and retain engineers while unlocking innovation that would remain hidden in isolated workflows. As one director of DevOps at a tech-forward automotive manufacturer (a GitLab customer) explains: "It's really critical for us to have a single pane of glass that we can look at and see the statuses. The developers, when they bring a merge request, are aware of the status of a given workflow in order to move as fast as possible." This transparency accelerates innovation, enabling automakers to rapidly iterate on software features that differentiate their vehicles in an increasingly competitive market.

The window of opportunity

Embedded systems leaders have a clear window of opportunity to gain a competitive advantage through DevSecOps adoption. But the window won't stay open forever. Software continues to become the primary differentiator in embedded products, and the gap between leaders and laggards will only widen. Organizations that successfully adopt DevSecOps will reduce costs, accelerate time-to-market, and unlock innovation that differentiates them in the market. The embedded systems leaders of tomorrow are the ones embracing DevSecOps today.

While this article explored why now is the critical time for embedded teams to adopt DevSecOps, you may be wondering about the practical steps to get started. Learn how to put these concepts into action with our guide: 4 ways to accelerate embedded development with GitLab.