Coverity Announces Formation of Security Research Laboratory

Coverity, the leader in development testing, announced today the formation of the Coverity Security Research Laboratory (SRL) as part of the Office of the Chief Technology Officer (CTO). The Coverity SRL will remain on the cutting edge of security vulnerability research, investigating and uncovering the root cause of new and existing vulnerability-causing defects that exist in software code. This knowledge will be built into the Coverity technology portfolio to better enable organizations to build security into the development process. The SRL has a unique combination of deep industry expertise, including security assessment and development leaders from Barclays, Cigital, Accuvant LABS, IBM Internet Security Systems, Imperva, and Tablus (now RSA, the security division of EMC), working side-by-side with technology experts from the top computer science Ph.D. programs, including Stanford and UC Berkeley. The SRL will be led by veteran information security researchers Chris Valasek and Romain Gaucher.

“Software is constantly under attack by hackers looking to profit from stealing sensitive information or take down entire systems, but most security research is approached from looking from the outside in, or how to break into a system or application,” said Coverity Co-Founder and CTO Andy Chou. “The Coverity Security Research Laboratory is taking a ‘defender’ approach by looking from the inside out, starting with the code itself. Our mission is to help companies developing software effectively build more secure software from the beginning, and our research team will help organizations understand the root cause of software defects that could lead to major security events.”

Prior to Coverity, Chris Valasek was a Senior Research Scientist at Accuvant LABS and IBM Internet Security Systems. His research spans vulnerability discovery, exploitation techniques, and reverse engineering, and is a frequent contributor of public disclosures to the broader security community. Valasek is best known for his publications regarding the Microsoft Windows Heap and has presented his research at major international security conferences including Black Hat USA and Europe, ekoparty, INFILTRATE, and RSA.

Romain Gaucher was a senior security consultant at Cigital prior to Coverity, responsible for leading and delivering secure code review, penetration testing, threat modeling, and architecture risk analysis. He led the development of Cigital Assessment Lab, becoming the technical lead and research coordinator. Gaucher is a co-author of the Software Assurance Findings Expression Schema, a contributor to MITRE’s Common Attack Patterns and Enumeration Classification, a committee member for the National Institute of Standards and Technology, and a board member of the Open Web Application Security Project, France.

Resources

  • Attend Chris Valasek’s talk on browser security at RSA 2012. Session HT2-304 on Thursday, March 1 at 1:00 PM.
  • Read more about the Coverity Security Research Laboratory on the Software Integrity Blog