eLeapPower

Starting Left: How eLeapPower supports continuous innovation in SAST

Company: eLeapPower^® eLeapPower, an early growth-stage technology company focused on Electric Vehicle (EV) charging and powertrain technology.

The Challenge: Finding a scalable Static Application Security Testing (SAST) solution to support a lean team of experienced software engineers as they innovate new solutions while adhering to strict software cybersecurity and functional safety requirements in the auto industry.

Solution: CodeSecure’s CodeSonar Static Application Security Testing integrated into the CI/CD pipeline that scans developer changes and new builds in a real-time feedback loop while in compliance with cybersecurity standards and auto industry safety requirements.

Software Driven Mission

eLeapPower is an automotive Tier-1 and Tier-2 supplier that develops advanced electric powertrain and charging systems for Electric Vehicle (EV) manufacturers. Based in Toronto with an additional engineering office in China, eLeapPower’s core mission is to deliver innovative solutions together with their partners to help accelerate the adoption of EVs globally. eLeapPower’s software-driven technology focuses on the integration of several separate vehicle systems (e.g.,on-board chargers, traction inverters, and DC-DC converters) into tightly coupled units that maximize performance while reducing weight, physical volume, and cost. Their propulsion solutions are at the A-sample phase with early adopters. They are particularly suited to electric van, truck, and bus fleets, as well as personal EVs.

“The interesting part for me is that our product takes two or three major, expensive components of an EV and combines them into one through clever reuse of the existing circuit elements combined with advanced control
algorithms, ” says Felix van Oost, senior software engineer at eLeapPower. “Proving that this idea can work, and that our technology is viable in a lab context normally takes a lot of time – even with a much bigger organization – and we’ve been able to take action quickly in part because of tools like CodeSonar that provide us with instant feedback to support our iterative development cycle.”

A Lean Team and a Fast-Moving Pipeline

To say that development is moving quickly at this innovative startup would be an understatement. In just under two years, eLeapPower has filed 50 new patents, while its technology is currently at the “A- and B-sample and Pilot stages” in automotive industry lingo. That means the team is constantly testing, updating, changing, and building new software components and pushing it out as firmware for further testing.

Most of this development is handled by a small team of software engineers located in the Toronto headquarters; but there are plans to expand development to eLeapPower’s team in its China office as business in that region grows.

The company’s founders and engineers have extensive background and brain trust in automotive system engineering. Felix, who reports to the CTO, is skilled and experienced in power electronics, motor control, and embedded firmware in the context of electric mobility and smart grid infrastructure, for example.

Starting Left on Standards and Requirements

Because of this background, the team knew that, before starting any development, they needed to engineer their products to meet cybersecurity software standards and functional safety requirements put forth by the auto industry. So, they started left by searching for a SAST solution before code development began—one that could keep up with their developers without slowing down innovation.

The team has since set up an infrastructure environment that allows them to use containers and CI/CD tooling to rapidly develop new features, keep up to date with the latest toolchain releases, and enable new hires to get their local development environment set up in hours instead of days. Felix assigned oversight for SAST selection to eLeapPower’s engineering intern, Mingye Chen. Mingye immediately set about gathering requirements. One of the most difficult to meet, he soon found out, was that their development team was so small they couldn’t license the minimum number of seats that most SAST vendors required. As such, many of the SAST vendors rejected them outright.

Of those that would take on a small customer like eLeapPower, the SAST solution needed to provide testing against several auto industry standards out of the box, without additional configuration on eLeapPower’s part. This bled into their requirement for ease of use and setup.

“Since we’re such a small team, ease of use for a static analysis tool was a big consideration. We also tested how easy the tool is to setup, generate reports, and sift through them, ”Mingye notes. “It also needed to keep up with our development cycle. We are in the R&D stage, which means we’re frequently changing target hardware and have multiple projects going on at the same time.”

Specifically, their list of requirements included:

• Out-of-box testing for compliance with MISRA C, and AUTOSAR C++ coding standards, along with CERT C
• Documentation that the SAST product met ISO26262 functional safety requirements
• Operate in Docker containers where their developers collaborate
• Integrate into their GitLab source control and DevOps tool
• Support a small team, and scale in testing volume, licensing, and user support as eLeapPower and its development team grow
• Maintain a thorough, current database of vulnerabilities to test against
• Setup and deploy easily, with a responsive product support team and accessible product knowledge base for troubleshooting

“We looked at all the static analysis tools on the market, making sure that the tool we picked was right for us, ” says Felix. “CodeSonar ended up at the top of our list and CodeSecure made the whole process very easy for us.”

Benefits: Visbility, Centralized Collboration, Version Control and More

Testing and meeting auto-industry standards out of the box is a big help to this busy developer group, providing full visibility into vulnerabilities, even in the case of overlapping developer changes, say Mingye and Felix.

“With the CodeSonar hub, we’re able to track certain elements of our software quality and standards compliance over time,” Felix explains. “We can quickly find any problem areas in our code, triage them, and resolve them before deployment”.

Mingye also praises how easy CodeSonar was to integrate into their CI pipeline without requiring any infrastructure changes. “One of the biggest strengths we saw in CodeSonar was its support for Docker containerization, which made deployment on our machines very easy and helps streamline the on-boarding process for new hires. Another thing was how easy it integrated with our existing infrastructure, GitLab. Every time we run our CI pipeline, GitLab parses the reports that CodeSonar generates and displays a summary of the results in our merge requests.”

The other big win was around licensing. As a small team, finding automotive-industry certified SAST tool to buy in small quantities was difficult. Most vendors want a minimum of ten to thirty seats and multi-year commitments upfront, Felix explains. “Some companies wouldn’t talk to us because we were so small. But CodeSecure has very reasonable minimums with competitive pricing to begin with.”

They also praise CodeSecure’s responsive support team and accessible product knowledge base, which Felix says stood out from the hard-to- search manuals provided by some of the other SAST vendors. CodeSonar’s knowledge base is frequently updated, and usually helps them find a resolution to their inquiries within ten minutes or less.

“Our team is so small we don’t have a lot of time to dedicate to optimizing every aspect of every tool we use. We have to manage software development, DevOps, our toolchain, and so on, ” Felix explains. “It was important for us to get started quickly, which CodeSonar did better than other tools we evaluated. It’s important to maximize how we detect certain warnings so that we could quickly do analyses. And we are confident CodeSonar can keep up as we grow and scale.”