Johannes Späth

Johannes Späth

(Open to new opportunities)

Previously R&D Director

Certora Ltd

About

Computer scientist, mathematician and engineer with 12 years of experience spanning academic research, startup founding, and technical leadership. Specializes in program analysis, formal verification, and software security, with a track record of translating deep theoretical work into production tools and commercial products.

During my PhD I developed highly precise and efficient static data-flow and pointer analysis algorithms (Boomerang, IDEal, Synchronized Pushdown Systems). Since then, I’ve carried that research into industry: building static analysis tooling at Fraunhofer, founding CodeShield to tackle cloud IAM security, and, until recently, pushing the limits of formal verification as R&D Director at Certora.

My current personal interest is in foundational computer science and interactive theorem proving with Lean.

Education

PhD in Computer Science (Dr. rer. nat.)

Paderborn University

Master of Science in Mathematics with Specialisation in Computer Science

Technical University of Darmstadt

Bachelor of Science in Mathematics

Johannes Gutenberg University of Mainz

Interests

Program Analysis Formal Verification Software Security Pointer & Data-Flow Analysis Cryptography Theorem Proving

Experience

R&D Director (since Dec 2023, initially hired as Senior Software Engineer)

Certora Ltd

Certora provides security audits and automated formal verification for web3 protocols. With the “Prover”, Certora builds a product that uses SMT solvers to mathematically verify the implementation of smart contracts.

  • Leading a teams of compiler and software engineers to enhance the Prover across different blockchain ecosystems (Ethereum, Stellar, Solana)
  • Contributed to the Prover and to Certora’s specification language (CVL and CVLR): added support for strong invariant logic, lifted LLVM debug information to present counterexamples in IDEs, implemented a program interpreter over the IR, and worked on LLM-based spec generation
  • Delivered hands-on Certora Prover workshops at TrustX 2023 (Istanbul) and Meridian 2024 (London), introducing developers to formal verification techniques for smart contract security

CEO & Co-Founder

CodeShield GmbH

CodeShield is a Software-as-a-Service that detects and fixes cloud security vulnerabilities (Gartner terms: CIEM, CNAPP, CSPM).

  • Acquiring and implementing proof-of-concepts with national and international clients
  • Securing funding to build and grow the team
  • Leading customer research, defining the product vision, iterating on MVP: discover IAM permission misconfigurations and demonstrate exploitable attack vectors (IAM privilege escalations)

Senior Expert & Research Associate

Fraunhofer IEM - Institute for Mechatronic Systems Design

The department of Software Engineering and IT Security at Fraunhofer IEM develops and researches methods and tools for secure development, maintenance, and operation of software-intensive systems.

  • Research on efficient and precise program analysis with focus on security (pointer and taint analyses)
  • Development of the IDE plugin Eclipse CogniCrypt: a spell checker for developers detecting insecure usages of cryptographic APIs, presented at EclipseCon Europe 2018 and heise devSec 2019
  • Integration of static code analyses with industry partners (SAST & SCA for DevOps)

Research Intern

Oracle

Oracle Labs Brisbane is one of Oracle’s eight research centers. The team in Brisbane develops program analysis technologies for internal use (Oracle Parfait).

  • Research stay to work on existing data flow and code analyses solution
  • Prototyping and implementing concepts for efficient program analysis based on soufflé (Datalog-based program analysis)
  • C++ implementation for points-to summaries on top of soufflé

Research Associate

Fraunhofer SIT - Institute for Secure Information Technology

  • Researching and prototyping program and data-flow analyses (pointer and taint analyses)
  • Security analysis of the source code of TrueCrypt using Coverity Scan and Fortify, commissioned by the German Federal Office for Information Security (BSI)
  • Security & pen testing of web applications using OWASP ZAP & Wireshark

Education

PhD in Computer Science (Dr. rer. nat.)

Paderborn University

Dissertation: Synchronized Pushdown Systems for Pointer and Data-Flow Analysis. Grade: summa cum laude (received 3 awards).

Master of Science in Mathematics with Specialisation in Computer Science

Technical University of Darmstadt

Grade: 1.6

Bachelor of Science in Mathematics

Johannes Gutenberg University of Mainz

Grade: 1.6
Skills
Programming Languages
Kotlin / Java
TypeScript / JavaScript
Rust
Python
C/C++
Infrastructure
git
Package Managers (mvn / cargo / uv )
Docker
AWS
Program Analysis & Verification Tooling
Soot
LLVM
Lean
Datalog / Soufflé
SMT Solving
Awards
Fraunhofer ICT Dissertation Award
Fraunhofer ICT ∙ January 2022
Excellent Dissertation Award
Presidium of the University of Paderborn ∙ January 2019
Ernst Denert Software-Engineering Award
Ernst Denert Foundation ∙ January 2019
Distinguished Paper Award
POPL 2019 ∙ January 2019
Artifact Evaluation Award
POPL 2019 & ECOOP 2016 ∙ January 2019
Awarded at both POPL 2019 and ECOOP 2016.
Languages
100%
German Native
80%
English Fluent
Publications & Patents
(2022). Fluently Specifying Taint-Flow Queries with FluentTQL. ESE 2022.
(2021). Qualitative and Quantitative Analysis of Callgraph Algorithms for Python. ICCQ 2021.
(2019). Context-, Flow- and Field-Sensitive Data-Flow Analysis using Synchronized Pushdown Systems. POPL 2019.
(2019). A Qualitative Analysis of Android Taint-Analysis Results. ASE 2019.
(2019). AuthCheck: Program-State Analysis for Access-Control Vulnerabilities. iFM 2019.
(2019). CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs. TSE 2019.
(2017). IDEal: Efficient and Precise Alias-aware Data-Flow Analysis. OOPSLA 2017.
(2017). Modular Points-To Analysis. Oracle International Corporation (Patent).
(2016). Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java. ECOOP 2016.
(2015). Access-Path Abstraction: Scaling Field-Sensitive Data-Flow Analysis with Unbounded Access Paths. ASE 2015.
(2015). Security Analysis of TrueCrypt. German Federal Office for Information Security (BSI).
Talks & Workshops
(2024). Verifying Smart Contract Properties with Certora’s Sunbeam Tool. Meridian 2024.
(2023). Verifying ERC4626 Implementations with the Certora Prover. TrustX 2023.
(2019). Context-, Flow- and Field-Sensitive Data-Flow Analysis using Synchronized Pushdown Systems. POPL 2019.
(2018). You forgot to changeit — CogniCrypt knows it!. EclipseCon France 2018.
(2017). IDEal: Efficient and Precise Alias-aware Data-Flow Analysis. OOPSLA 2017.
(2016). Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java. ECOOP 2016.