Mender blog

Over-the-air (OTA) software updates: Build vs. buy

So, your team has established the need for an over-the-air (OTA) software update manager for the Internet-of-Things (IoT) product you plan to launch next quarter. Now, should you build it yourself in-house? Think twice!

The total cost of ownership (TCO) for an OTA software deployment manager can have many direct and indirect costs over the product life cycle. TCO is only part of what needs to be considered when deciding to build or to buy an OTA update solution. In the previous post we quantified the economic value of build versus buy. In this post, we look at other key factors you should consider when making a decision.

In-house competencies and resources

An end-to-end OTA update manager requires competencies in embedded hardware, software, connectivity, security, microservices architecture and cloud infrastructure. Getting all the needed resources under one roof to launch an IoT product with a secure OTA implementation is a challenging endeavor for enterprises because for the most part these different pieces of the puzzle do not align with the company's core product and business logic. For a company to invest in the different parts of the IoT ecosystem by building homegrown solutions will not make much business sense.

A research from Microsoft Azure IoT Signals report indicates that two in three organizations outsource at least a part of their IoT deployment implementation and only 38% of decision makers and developers surveyed say they build and implement homegrown solutions. The report further indicates that those who choose to outsource IoT implementation realize greater benefits from the technology. More outsourcers see increased efficiency compared to those who don’t outsource. Almost a third of enterprises find it too complex to implement an entire IoT initiative in-house because of the business transformation that’s needed to do so.

IoT security

IoT security threats are different from traditional IT security environments such as servers, laptops, desktop computers and mobile devices. In IoT while data protection concerns still exist they mainly extend further into the physical world and most often at large scale with heavy reliance on battery and wireless connectivity where interruption in operations can cause millions of dollars of damage within a short period of time. Therefore, it inherently becomes harder to secure IoT devices as compared to other environments.

To ensure security of IoT devices, they must be updated with the latest software and security patches on a frequent basis. Software updated remotely if implemented poorly can provide additional attack vectors to already existing device vulnerabilities. To minimize potential security threats related to software update systems, implementing a secure software update process requires preventive strategies against a number of potential attack vectors. Enterprises that develop and implement their own OTA solution will most likely end up with a mediocre solution and compromise on the security and robustness.


Deploying OTA updates to thousands of devices scattered globally will require a different approach as opposed to a handful of devices at proof-of-concept (PoC). The transition from PoC to a large-scale production roll-out scattered globally can only be successful if scalability is tested and planned for from the inception of the product development.

Scaling an IoT project requires consideration of a mix of various key components which to include: A remote end-to-end fleet management infrastructure, an intuitive user interface with fast response times and reduction of manual tasks by employing automation to reduce the likelihood of human errors, which introduces security and operational risks.

Added complexity to core product development

Most homegrown device management solutions are a collection of “point solutions” to cater to different use cases in the IoT device lifecycle management: configuration, OTA updates, troubleshooting, and monitoring. Pulling together the “point solutions” into a single, secure and robust solution can add complexity unrelated to your core product causing longer time-to-market as well as the need for hiring a team with core expertise in each part of the architecture, all contributing factors to increase TCO.

Development, maintenance and support

A typical pitfall for homegrown OTA solutions is the lack of extensibility hindering future needs. Once the next generation of hardware, software and new products are developed, “retrofitting” the existing homegrown solution is challenging and sometimes not feasible, so yet another version of the homegrown solution needs to be developed and maintained. Larger companies typically end up with more than a handful homegrown solutions leading to a disperse and diverging fleet management situation.

The high initial costs of a homegrown update manager come from development to tailor it to specific product requirements. When this development is complete, the cost becomes improvement and maintenance-related As the business decides to release a new product or new hardware, there will again be significant development costs to support this new product and hardware requirements. Given a product’s release cycles, the costs will be ongoing.

Integration with existing infrastructure

If you choose to outsource your OTA and device management you should avoid lock-in solutions. You should be able to have the flexibility to integrate with your existing CI/CD pipeline with a 100%-based API driven solution, be able to choose your server infrastructure (hosted vs. self-managed), operating system distribution and hardware platform from prototyping to mass production.


Spending time and resources building a homegrown OTA solution can divert focus from engineering teams to building the core features of a product and can lead to a mediocre OTA software manager with devices at risk of being hacked or bricked. In addition, the complexity to product development is increased which can jeopardize time-to-market and product release launches. Adding all up with managing the backend server infrastructure, support and maintenance, the cost can go up to hundreds and thousands of dollars. Organizations can benefit immensely from outsourcing their OTA and device management solution and leave it to experts to provide this piece of the puzzle into their overall IoT deployment plans.

Recent articles

Enhancing sustainability in oil & gas: tackling methane emissions with cutting edge solutions

Enhancing sustainability in oil & gas: tackling methane emissions with cutting edge solutions

Discover how Kuva Systems overcame challenges in managing methane emission monitoring cameras in the oil & gas industry with advanced OTA updates and remote troubleshooting.
CVE-2024-37019 - Account takeover using SAML

CVE-2024-37019 - Account takeover using SAML

CVE-2024-37019 is an account-takeover vulnerability in Mender Enterprise which was fixed in versions 3.6.4 and 3.7.4.
The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The critical question for the automotive industry is: how can you shorten the time to market and innovate faster in software and AVs to meet more demanding customer requirements?
View more articles

Learn more about Mender

Explore our Resource Center to discover more about how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices.