About the Coverity Security Research Lab

We're a small, focused security research team located in San Francisco, California.

Andy Chou

SRL Emeritus

Andy spent four years hacking through an undergraduate degree in EECS at UC Berkeley and got sick of debugging his own code. He spent the next four years at Stanford researching ways to automatically detect bugs in code by leveraging compilers. After completing his PhD in 2003, Andy cofounded Coverity to commercialize this work. Now, he enjoys sailing the ocean seas after Synopsys successfully acquired Coverity in 2014.

You can find Andy on

Romain Gaucher

Le codeur

Romain is a Security Research Architect at Coverity, where he focuses on improving the detection of security weaknesses using program analysis. Prior to joining Coverity, Romain was a Senior Security Consultant at Cigital, where he was responsible for leading and delivering secure code review, penetration testing, threat modeling, and architecture risk analysis. Romain is a frequent contributor to the security community, an officer at the Web Application Security Consortium (WASC), and a board member of OWASP France. He has spoken at conferences such as RSA, CSI, and PLDI. He holds a M.Sc. degree in Applied Mathematics and Computer Science from the University of Clermont-Ferrand, France.

You can find Romain on

Jon Passki


Jon is a Lead Security Researcher within the Coverity Security Research Laboratory with over 13 years of experience in application security. At Coverity, Jon works on improving web application framework understanding, static analysis coverage, researching new security checkers, and accurate remediation advice generation. Previously, Jon performed mobile and web application assessments, code review, and architecture risk analysis for Fortune 500 companies. Prior to joining Coverity, Jon was a Principal Application Security Engineer at Aspect Security. Jon is an active member of OWASP and a previous OWASP NYC chapter leader.

You can find Jon on

Ian Haken

Bytecode Inspector

Ian is a Security Researcher at Coverity with over 7 years experience developing Java web applications. His background includes the production of secure software such as PCI-compliant applications and financial trading platforms. His work at Coverity includes the research and development of new tools, methods, and checkers for security analysis. Prior to working at Coverity, he received his Ph.D. in mathematics from the University of California, Berkeley where his research focused on computability theory and algorithmic information theory.

You can find Ian on

David Lindsay

Code Obfuscator

David is a Security Researcher at Coverity with over 11 years experience in the application security space. Within Coverity's Security Research Laboratory, David researches development frameworks and security vulnerabilities in order to improve Coverity's state-of-the-art analysis techniques. Prior to joining Coverity, he worked as a Security Engineer with Intuit, and as a Senior Security Consultant and Director of Penetration Testing with Coverity. His focus has been on web security, obfuscation techniques, threat modeling, and secure software development best practices. David originally graduated from the University of Utah in 2005 with a master's degree in mathematics.

You can find David on

Guest Bloggers

Eric Lippert

Specification Lawyer

Eric Lippert develops C# analyzers at Coverity. During his sixteen years at Microsoft he was a developer of the Visual Basic, VBScript, JScript and C# compilers and a member of the C# language design committee; he is now a C# MVP. He is on Twitter at "@ericlippert" and writes a blog about programming language design and other fabulous adventures in coding at http://ericlippert.com.

You can find Eric on