Andreas Kuehlmann is the general manager of what is officially now known as the Software Integrity Group of Synopsys, what you might think of as Coverity although they have made some acquisitions too, so they now have a broader technology base. I sat down to talk to him last week.
He was brought up in Germany and came to the US in 1991 to join the IBM TJ Watson Research Center. He was involved with high level synthesis and worked on equivalence verification, in time enabling IBM’s custom verification.
In 2000 he joined the Cadence Berkeley Labs (which was where I think I first met him since I was at Cadence at the time). In 2003 Andreas was promoted to being in charge of running the labs. In 2010 he joined Coverity as the VP of R&D. Funnily enough he had also become the president of IEEE Council on Electronic Design Automation (CEDA) so he became president of CEDA just before leaving design automation! Since 2002 he has also been an adjunct professor at Berkeley.
Coverity was acquired by Synopsys and in May of this year Andreas was appointed GM of the Software Integrity Group. Despite being part of Synopsys, Andreas emphasized that their business is not EDA. They are serving the software industry which is much larger than semiconductor. To give you an idea, there are about 100,000 design engineers, 1M embedded software engineers and 10+M software engineers total growing 10% per year.
A year ago they acquired a small startup in France which manages software test execution, finding which tests need to be run when a change is made. Recently, they added two acquisitions in the area ofdynamic security testing, complementing the static analysis approach used by the Coverity technology. So these acquisitions add dynamic analysis.
The mission of the group is to make software development a more mature process. There is a great diversity in the maturity level companies apply to software development and many don’t use modern methodologies. In chip design you don’t get to “run” the code by taping out the chip, so if you don’t use modern methodologies you don’t get working chips. Software development is not like that and quality and security suffers as a result.
What is needed is a more general approach like we use in hardware design with a combination of different approaches. Static analysis under the hood uses some of the same technology as formal verification but there is no code reused, you can’t just yank out some Synopsys product and make a software version. Some Synopsys products in the system space, such as virtual platforms, are also involved in embedded software, where there is a much stronger awareness of the disciplined approach since they see what the IC designers do day-to-day.
Embedded software is simply any software that runs in a box: a car, a washing-machine, a router. It is not small scale. There is a lot of code in your smartphone as you probably know, although that is a lot less mission critical than your car.
In the IC world, the tool investment is $50-100K per engineer. In the software world it is more like $10-12K. This will change. Software development is a labor-intensive process and with modern tools it can be done much better. It makes no sense to pay a software engineer $150K/year and then not give him or her good tools, any more than it makes sense with an IC designer.
I asked Andreas about open source competitors? He says they are inferior. Anything with high algorithmic content is hard to develop using open source projects because it depends on deep expertise not just manpower. It really doesn’t make any more sense for a software engineer to write their own C++ static analysis than it does for a design engineer to write their own static timing analysis. Apart from the opportunity cost, they almost certainly don’t know how to do it.
Having said that, they are involved with the open source community. They have scan.coverity.com which allows open source projects to use the Coverity technology for free. It has been applied to several thousand projects already. And they have found their share of bugs, even in some high profile projects like Linux and Apache (the webserver, not the EDA company).