“Typically, people divide the (software) world into cost, schedule, functionality, quality. In my experience, almost everyone when they talk ‘quality’, are excluding security.” — David A. Wheeler
“We’ve already moved to a mostly componentized world. We now have to understand that we have to update the components as we go along. We need to put tools in the customer’s hands so they can quickly identify, ‘Wow! You’re using a library with 300 known vulnerabilities. I’m not going to use your system until you get your act together.’” — David A. Wheeler
David Wheeler is a project leader at the Institute for Defense Analyses. He also teaches a graduate classon software security at George Mason University. David has a unique view of security’s role as part of the software development life cycle.
In this wide ranging discussion, we talk about the current state of security, how people are trained (or not trained) to handle security as part of the development process, and what the future looks like for the security industry.
About David A. Wheeler
My professional interests are in improving software development practices for higher-risk software systems (i.e., ones which must be secure, large, and/or safety-critical). My specialties include writing secure programs, vulnerability assessment, open standards, open source software / free software (OSS/FS), Internet/web standards and technologies, and POSIX.