Skip to content

Focus on Safety

Source Code & Firmware Solutions

Today, software controls all important machine and business processes

Informationally and functionally secure software and firmware is a basic prerequisite for reliable, secure and efficient utilisation of business processes, machines and devices.

Request a personalized offer
Eine Person sitzt am Schreibtisch und tippt am PC, auf den Bildschirmen sieht man Code.
Indispensable software

Goals of Source Code & Firmware Solutions

The crown jewels of all IT systems

Software development begins with source code - text written in high-level languages that contains the instructions for a programme. Source code is therefore the basis for defining the functionality of a programme and forms the basis for all IT applications and systems. Every digital tool, every application and every system begins as source code.

Whether operating system or application, software performs specific tasks - from the management of system resources to the execution of user applications. At hardware level, it performs the basic functions of a device as embedded software or firmware.

This results in three main objectives that are typically pursued during programming:

  1. Writing error-free code
  2. Realisation of the design specification
  3. Avoidance of security problems

Code analysis for quality and security management

Whether it's a smart home system, enterprise application or IoT device - code analysis is essential for finding and eliminating errors and vulnerabilities. The analysis can be carried out both at source code level and at binary code level, but the methods have different strengths and areas of application. Source code analysis, known as static application security testing (SAST), examines the source code of software, while binary analysis examines the compiled code.

Static software analysis

If the source code is available, a static software analysis is the preferred approach, as this allows potential security vulnerabilities to be identified early on in the development phase. It also ensures that the code is written according to certain security standards. This is why source code analysis is also part of high-security testing and certification, such as Common Criteria. Binary analysis can also be used to analyse software whose source code is not available. In this way, hidden threats in third-party components and proprietary libraries can be uncovered.

Testing and certification

Automated source code analysis uses tools to identify security vulnerabilities and code errors. It provides fast and consistent results, but has limitations due to its limited ability to recognise complex errors. This is why IT security experts perform manual software reviews, which enable in-depth checks and an assessment of code quality in context. Software testing and certification provides formal confirmation of compliance with standards. This leads to increased trust among customers and business partners and demonstrates compliance with legal and industry-specific requirements. These approaches complement each other and offer a comprehensive strategy for ensuring software quality and security.

Which path is right for me?

Manufacturers have various standards for having their software and firmware updates tested. This gives them certainty that they fulfil legal requirements. All approaches focus on trustworthiness, integrity and reliability, but rely on different approaches in some areas.

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Relevant laws and legislative proposals

Frequently Asked Questions (FAQ)

what you need to know about firmware solutions

There are currently various evaluation and certification systems, all of which aim to increase the certainty that components and systems offer adequate protection against cybersecurity attacks. However, certification can only address attacks that are known today, with a limited outlook into the future. When examining today's certification systems, one common feature can be identified to mitigate this limitation: the requirement for the product to provide means to fix a security vulnerability at any time, even after successful certification. At first glance, this may sound like a contradiction to security certification, but it is more a reflection of what consumers are already used to: frequent patches distributed to our personal computers on well-planned, regular patch days.

Another observation one can make when comparing today's certification schemes is that they address the security of the product or industry-specific functionalities of the component or system and add the requirement of a (secure) patch mechanism.

However, the reality is often different, especially when considering embedded devices such as integrated circuits (ICs) or system-on-chips (SoCs). Here, in contrast to pure software development, the lead time for wafer production and wafer testing becomes a decisive factor and often forms the bottleneck for time-to-market considerations. It is therefore advantageous to bring forward these time-consuming steps and to have solution-agnostic, universal hardware paired with a universal firmware loader available before the start of solution-specific firmware development. At the same time, decoupling these steps also simplifies logistics on the manufacturer's side.

To address this industry approach, the TÜVIT firmware update evaluation concept presented here only evaluates the patch or firmware update mechanism, regardless of the functionalities for which the component or system is ultimately used.

The certificate is valid for two years.

Certification by TÜVIT provides proof of trust and security vis-à-vis business partners and customers, even though, or especially when, the final use case has not yet been determined.

Yes, in particular there is the option of adapting the depth of evaluation, and therefore the time and costs of the test, to the expected attack potential. Further details can be found in the certification concept.

Absolutely! The concept provides for penetration testing after a prior design and code review. If the TÜVIT experts discover weaknesses at this stage, these are addressed to the manufacturer, thus improving both the product and the chances of successful certification.

Basically yes. A secure FW loader is the basis of every secure IT product. Certification methodologies such as the Common Criteria or IEC 62443 therefore justifiably require a security check of these functionalities. When developing the set of criteria, we therefore paid particular attention to the possibility of reuse for a wide variety of applications.

Why we are a strong partner for you

Good reasons that speak in our favour