Andy Chou is the co-founder and chief technology officer of Coverity, a development testing company. Prior to co-founding Coverity, Andy was instrumental in developing the core intellectual property behind the Coverity platform while earning his Ph.D. in computer science from Stanford University. He has also developed key innovations in Coverity’s industry-leading static analysis technology. He also has a B.S. in electrical engineering and computer science from the University of California, Berkeley.
Sramana Mitra: Andy, tell us a bit about yourself and the genesis of Coverity.
Andy Chou: Back in 1999, I was a Ph.D. student at Stanford University studying computer science. I was researching methods to improve software quality and software security. It was an area I felt was worth my time. I felt that at that time, the profession I had chosen, being a developer, had a bad reputation. A lot of software was out there that was very poor, and I wanted to work on that problem.
I found a professor, Dawson Engler, who was interested in solving this problem as well and wanted to make a dent in it. Along with four of us students, he formed a research team that took some grant money from DARPA intended for something completely different and repurposed it to work on this project. We did it on the side really cheap. Our vision was to build an analysis that could be extended to allow people to find defects in their software code without having to run tests and do a lot of work.
We started off by building something that could analyze the Linux kernel. We were hacking on this for a long time and built a prototype over several months. We were working on the prototype to get results for a paper we wanted to publish, and a week before the paper was due we had nothing. We had no results, prototype, or even a draft of the paper. It was really crunch time, and Dawson was a new professor going after tenure. That weekend we spent the entire weekend hacking on the project, focusing only on the Linux kernel. We found thousands of defects in the kernel in a matter of days.
Sramana Mitra: Did you find those defects by hand or with a software tool?
Andy Chou: We finished our software prototype that weekend and ran it for the first time on that code base. We were shocked at how many we found. After we found them, we verified our findings with the Linux kernel developers. They responded and verified that we had found problems that required fixing. We ended up publishing that paper and won the Best Paper award at the prestigious Operating Systems Conference in 2000.
That paper really got the interest of a fair number of people from the industry. We started getting a lot of inbound inquiries from industry thought leaders. These were people who read academic journals and who had been to graduate school. They were VPs of engineering or very senior developers. They wanted to get access to the code base because they felt it was valuable. Being researchers, we had no intention of starting a company, so we pushed them all off and continued to do our research.
For the next four years we published more papers about how to extend the technology to do even more. We showed how to find even more defects, how to find different types of defects, and how to figure out the core technology. We built a platform over the four years we were in graduate school.