Synopsys Helps CEVA Deliver on Its Commitment to Secure and Quality Connected Devices

Nowadays, more and more devices are becoming more intelligent, automated and interconnected. In order to protect user privacy and promote the steady development of the industry, different industries have also formulated corresponding standards. Relevant interconnected device manufacturers need to follow the standards to ensure the quality and security of their products. Synopsys, with its mature and comprehensive application security testing solutions, helps many IoT and related companies around the world develop trusted interconnected devices at a speed that meets business needs, and CEVA is one of them.

Challenge: Enforce coding standards and reduce license risk

CEVA is a leading licensor of wireless connectivity and smart sensing technologies and co-creation solutions for a smarter, more secure and connected world. Many of the world's leading semiconductor system companies and OEMs use CEVA's IP to develop power-efficient, intelligent, secure and connected devices for a variety of end markets including mobile, consumer, automotive, robotics, industrial, aerospace and defense, and the Internet of Things (IoT).

Ori Leibovich, DevOps/Real-time Development Manager at CEVA, faces a dual challenge: Enforcing coding standards more efficiently while reducing license-related risks. Recently, while helping the automotive industry increase processing power in system-on-chip (SoC) designs, Ori Leibovich found that CEVA's security program needed to meet the strict security requirements of the automotive industry. What's more, he pointed out that "CEVA's software development has increased rapidly in recent months," making it particularly critical to have an automation solution that can keep up with the increase in development speed.

With a mature security program in place, CEVA needed a solution that could fit seamlessly into existing development activities and tools, and

The solution also supports current security efforts without slowing down or overcomplicating existing initiatives.

Ori Leibovich's eagerness to achieve automotive industry safety certifications led him to a two-pronged upgrade of CEVA's security program: the deployment of powerful static application security testing (SAST) and software composition analysis (SCA) tools.

Solution: Synopsys Black Duck SCA and Coverity SAST

CEVA chose to incorporate Black Duck® SCA and Coverity® SAST into its existing development pipeline. Black Duck's automated policy management solution enables teams to easily predefine open source code usage, security risks and licensing

ensure compliance policies while automating their enforcement throughout the software development lifecycle (SDLC)—all with

Use developers' existing tools to accomplish this. Synopsys Coverity is a fast, accurate, and highly scalable SAST solution that enables development and security teams to easily address security and quality defects early in the SDLC. They can easily track and manage risks across their entire application portfolio and ensure compliance with security and coding standards.

Ori Leibovich noted that his team "is growing rapidly. Therefore, we believe that an automated detection tool for open source code is essential to avoid legal issues." CEVA deployed Synopsys Black Duck to an environment covering approximately 400 developers and hundreds of thousands of lines of code, and began running Black Duck scans on a weekly basis. Black Duck's seamless integration with existing pipelines enables CEVA to easily add it to existing security activities and allow it to identify all open source code in the software. According to him, after verification, CEVA believes that all other SCA tools on the market "cannot achieve this level of inspection."

The automotive industry's ISO 26262 ASIL-B standard and ISO 9001 quality/reliability standards present CEVA with very specific safety requirements. ASIL is a risk classification system defined by the ISO 26262 standard specifically for functional safety of road vehicles. The standard expects vehicles to be "free of unreasonable risk", which extends to the quality of the application code that operates the vehicle. Similarly, ISO 9001 requires companies to adhere to high standards of integrity and quality; companies must be able to demonstrate their ability to consistently deliver products that meet regulatory requirements. As a trusted industry leader, CEVA wanted to quickly ensure and demonstrate its ability to meet all requirements and continue to provide the highest quality products and solutions, including processors, sensor hubs and digital signal processors.

"After examining several tools, we found Coverity to be the easiest to integrate into our CI/CD pipeline and to use with our internally developed compiler," said Ori Leibovich. With Coverity, CEVA can now fully track and manage compliance, ensuring that a wide range of security, quality and data protection standards are met.

Results: Easier compliance and reduced risk

Complying with industry standards and regulations can be daunting. And as development speeds up, it becomes increasingly difficult to discover and identify code and ensure its quality and security. What to do about discovered non-compliance can be even more difficult.

Coverity allows developers to easily filter discovered issues by category, view trend reports, prioritize vulnerability fixes based on severity, and most importantly, manage policy compliance across teams and projects.

CEVA quickly integrated Coverity into its CI/CD process and then demonstrated that it met industry regulatory requirements. Ori Leibovich found that Coverity "improved code quality and security," helped "find defects with low false positive rates" and "enforced coding standards such as MISRA C and AUTOSAR C++." Best of all, Coverity was easily "integrated with internally developed compilers," meaning that existing development activities were not disrupted by this new addition.

Without a complete view of the code in the application portfolio, especially open source code, enterprises will face security, license compliance and code quality risks. Licensing violations can expose enterprises to costly litigation or damage their valuable intellectual property.

Black Duck helps CEVA eliminate license compliance risks from its development environment. After reviewing several tools, CEVA found Black Duck to be the easiest to integrate, the least disruptive to its thriving security program, and the most immediate. Ori Leibovich said Black Duck "integrated open source code identification and management capabilities into our SDLC" and helped "identify the open source licenses we are using," all of which are key activities that help minimize the risk of license violations.

Synopsys has helped CEVA strengthen its security efforts and help its solutions achieve their security quality commitments. By strengthening security and compliance efforts, CEVA has increased customer confidence in its products. Speaking about the company's latest security posture, Ori Leibovich pointed out, "CEVA works strictly in accordance with security protocols and has no conflicts with customers due to the use of open source code. We can show that these codes are analyzed by static analysis tools, so the company has better quality software. We can also prove to customers that CEVA is working strictly in accordance with security protocols."

Synopsys' Coverity and Black Duck scanning tools can now be automatically initiated in CEVA's development pipeline and provide developers and managers with detailed reports so they can ensure security and compliance. This frees up development teams to focus on their core business of developing industry-leading processor and platform IP solutions, which is what they excel at.