Engineer in Computer Science and Applied Mathematics
Security Research - Program Analysis - Security Testing

Romain Gaucher

Contact : |
Other: Linkedin:En, @rgaucher, github

Professional experience

  • Oct. 2012 - present, Lead Security Researcher, Coverity
    Lead of the security research lab at Coverity. More here: Coverity SRL. My goal is to improve our overall support and understanding of security, as well as spearheading projects. My interests are in program analysis for security, and how to make the developer's life easier.

  • Dec. 2011 - Sept. 2012, Senior Security Researcher, Coverity

    Working in kick-ass program analysis capabilities for security defects detection. Want to know more? Wait for the next releases of Coverity static analysis.

  • Nov. 2008 - Nov. 2011, Senior Software security consultant, Cigital Inc.
    Security consultant until August 2010.

    As a Senior Consultant, Romain led the development of the security assessment lab within Cigital. Now that the assessment lab is operational, Romain provides technical and research leadership to security analysts by taking on the following roles:
    • Technical Lead for multiple ongoing assessments. Provide guidance and technical expertise to analysts in the assessment lab.
    • Client Coordinator interacting with clients to ensure projects run efficiently and smoothly. Interface between the clients and the assessment lab analysts for project coordination.
    • Research Coordinator for all analysts of the lab. Develop and coordinate new research topics and tools such as binary analysis, static analysis tools, and hybrid analysis in the assessment lab. Romain is also a principal contributor to the research within the lab.

    Romain worked on projects which cover the entire spectrum of software security testing including:
    • Manual penetration testing. Romain has a wide experience in penetration testing on different platforms and software. Romain has executed and led penetration tests on thick clients (from games under Windows to anti-virus under Mac OS X), mobile applications (iOS, BlackBerry and Android platforms), web services, and web applications.
    • Architecture risk analysis. Romain analyzed solutions, which include real-time trading systems, cloud-based services, etc.
    • Manual and automated code review on small to very large applications. Romain has a reviewed source code for Fortune 500 customers, deployed static analysis tools across a nationwide bank network, and provide guidance to development teams on software weaknesses and remediation.

    Romain also authored security knowledge standards such as attack patterns (CAPEC), and co-authored the Software Assurance Findings Expression Schema (SAFES).

  • May 2006 - Sept. 2008, Computer Security Scientist, NIST

    Study the impact of the static analysis tools (source code analysis) such as Coverity, Klockwork K7, Fortify SCA, etc., contribute to the SAMATE Reference Dataset, study tools behavior on source code variations (creation of PHP source manipulation and metrics computing PHP-Ast/Oracle).
    Work on the evaluation methodologies of Web Application Scanners such as Acunetix WVS, Cenzic Hailstorm, Watchfire AppScan, HP WebInspect, Parosproxy etc. (creation of a proof-of-concept minimum bar web apps scanner/hybrid tool: Grabber).
    Co-organizing the NIST Static Analysis Tool Exposition (SATE) 2008.
    Development of various websites: SAMATE Reference Dataset, SATE 2008's

    Expertise: Web Applications Security, Source Code Security, Static Analysis Tools, Web Apps Scanners, C, C++, Python, PHP, MySQL

  • April 2005 - Sept. 2005, Data-Mining/Computer Scientist, GERAD

    I worked on automatic generation of conjectures and theorems for the graph theory. I developed software in C++ with Qt and XML: "database on graph theory information", "automatic generation/refutation of conjectures and theorems" and "generation of a dissimilarity matrix".
    I did this internship under the direction of Pierre Hansen and Gilles Caporossi from the Group for Research in Decision Analysis (GERAD), HEC, Montréal, Québec, Canada.

    Expertise: C++, Python, Qt 3.3/4.0, GiNaC, Graph theory, Data-Mining, Rules generation

Community Projects

Recent papers/publications/talks

  • R. Gaucher, Why haven't we stamped out XSS and SQLi yet?, RSA 2013
  • V. Okun, R. Gaucher and Paul E. Black, "Static Analysis Tool Exposition (SATE) 2008", U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 500-279, June, 2009
  • R. Gaucher, "Automated tools for security, the challenge 2.0?", Presentation, CSI 2008, Web 2.0 Summit, Nobember 18, 2008, Washington DC, USA.
  • R. Gaucher, "SATE 2008: Automated Evaluation", Presentation, PLDI 2008, Static Analysis Workshop, June 12, 2008, Tucson, AZ, USA.
  • R. Gaucher, "Web Application Security Scanners: Problems and Solutions for testing the tools", Presentation, DHS Software Assurance Working Groups Session, Jan 31, 2008, Virignia, USA.
  • R. Gaucher and E. Dalci, "Web Application Security Scanners: Building a test suite for the tools", Presentation, HICSS-41 Conference (IEEE), Jan 6, 2008, Hawaii, USA.
  • E. Fong, R. Gaucher, V. Okun, E. Dalci and P. Black, "Building a Test Suite for Web Application Scanners", in Proceedings of HICSS-41 Conference (IEEE), Jan 7-10, 2008, Hawaii, USA.
  • E. Fong and R. Gaucher, "Testing web application scanner tools", Presentation, Verify Conference 2007, Oct 30, 2007, USA.
  • V. Okun, W. Guthrie, R. Gaucher and P. Black, "Effect of Static Analysis Tools on Software Security: Preliminary Investigation", in Proceedings of 3nd International Workshop on Quality of protection (QoP 2007) Conference, Oct 29, 2007, Alexandria VA, USA.
  • P Black, E. Fong, V. Okun and R. Gaucher, "Software Assurance Tools: Web Application Security Scanner, Functional Specification Version 1.0", NIST Special Publication 500-269, Aug. 29, 2007, USA.
  • M. Koo, R. Gaucher and V. Okun "Source Code Security Analysis Tool: Test Plan", NIST Special Publication 500-270, March. 9, 2007, USA.

General computer skills

  • Languages: C, C++, PHP, FORTRAN, Java, Python, C#, assembly x86/68000/SSE2, Scheme, PROLOG, LaTeX
  • Web development: XHTML, CSS, PHP, Python, MySQL, XML, XSLT, JavaScript, Ajax techniques
  • Others: Operational Research, Data-Mining, Finites Elements Methods, Nokia Qt4 and PyQt/PySide, Parallelism (OpenMP and MPI), OpenGL programming, Constraint programming, Simulation, Modeling and Mathematics


  • 2003-2006: Graduate from ISIMA (Master degree) grad school. Speciality in modeling and applied mathematics.
    Clermont-Ferrand, France (ISIMA Website). Final year thesis work: A least squares cluster wise regression heuristic using Variable Neighborhood Search (VNS).
  • 2000-2003: Classes préparatoires (specific advanced classes: maths, physics and electronics) at Troyes, France.
  • 2000: Baccalauréat in electronics at Troyes, France
  • French: Native
  • English: Fluent
  • German: Working knowledge


  • 2007/2008, webmaster of the Guest Researcher website:
  • 2005/2006, VP of the Alumni association at ISIMA, in charge of the ceremony
  • 2005, organizer of the integration weekend for freshman
  • 2004/2005, webmaster of the student association website:
  • Sports: Golf, Rugby (Used to be a member of the ISIMA team), Squash, Tennis, Mountain-bike, Foosball.


  • Professor at HEC Montréal. Holder of the Data Mining Chair at HEC Montréal. Member of the Group for Research in Decision Analysis (GERAD).
    Mr. Hansen Pierre.Hansen _AT_ hec _DOT_ ca + 514 340 6486
    HEC Montréal, 3000, Chemin de la Côte-Sainte-Catherine, H3T 2A7 Montréal (Québec), Canada.

  • Professor at ISIMA Clermont-Ferrand. In charge of speciality: Development, Optimization and Graph Theory
    Mr. Duhamel Christophe.Duhamel _AT_ isima _DOT_ fr +33 473 405 037 ISIMA, Campus Universitaire des Cézeaux, BP 125 63173 AUBIERE Cedex, France.