Below are some of the presentations that I plan to give or have given, in reverse chronological order. I also include some selected posts, articles, papers, and books that I wrote or where I'm quoted; I originally didn't do that, but including them turns out to be convenient. Dates are in ISO 8601 date format (YYYY-MM-DD).
Generally I talk about security / software assurance, free-libre / open source software (FLOSS or OSS/FS), open standards, software innovations, various specialized areas of computer technology, or some combination. I post many of my presentations on my website. I'm available for a few speaking engagements each year; I limit the number of trips away from the Washington, DC area, but I do travel if it's important/interesting. Contact me if you'd like me to speak at your event. You can also see more information about me and my Credly list of my digital badges/awards.
Date/Time | Topic | Organization/Sponsor, Location, Notes |
---|---|---|
2024-12-07 | Comments on Bad Security Practices by David A. Wheeler | Request for Comment on Product Security Bad Practices Guidance |
2024-12-05, 0800 PST | Census III of Free and Open Software: Application Libraries Webinar (video) | Linux Foundation Webinars |
2024-12-04 | Census III of Free and Open Software report by Frank Nagle, Kate Powell, Richie Zitomer, and David A. Wheeler. Noted in TechCrunch, Infosecurity magazine, ITPro, SearchSecurity (TechTarget), Developer Tech News, Linux Security, VMBlog.com, CISO Series, OpenSSF, prnewswire, Dark Reading, Information Security Buzz, Risky Biz News, SecurityWeek (weekly round-up article) and Beta News. | Linux Foundation Research |
2024-10-29 | Quoted in OpenSSF updates its Developing Secure Software course with new interactive labs by Jenna Barron (there's also an OpenSSF press release). | SD Times (SD stands for "Software Development") |
2024-10-22, 11:30-12:10 ET | Artificial Intelligence Cyber Challenge (AIxCC): Overview and Releasing Research as Open Source Software - David Wheeler & Jeff Diecks, Linux Foundation by David A. Wheeler and Jeff Diecks (video) | SOSS Fusion, Atlanta, GA (all videos) |
2024-10-10, 13:00-14:30 ET | Panelist, "Jumpstart Your Journey: Mastering OSS Security Development with Training & Certification" (invitation) | Tech Talk |
2024-09-25 | Open Source Security Foundation (OpenSSF): Improving OSS Security | Towards a Robust and Sustainable Open-Source Software Ecosystem for Future Wireless Research and Development, Washington, DC. Organized by the Networking and Information Technology Research and Development (NITRD) National Coordination Office (NCO), (US) National Science Foundation (NSF). |
2024-09 | LFD121 Labs Addition - Enroll in Our Free LFD121 Course: "Developing Secure Software" | OpenSSF Youtube Channel |
2024-08-11 | From Research to Release: Transferring AIxCC Results to Open Source Software by David A. Wheeler, Jeff Diecks, and Chris Aniszczyk (slides) | DEF CON, AIxCC section |
2024-07-17 | Introduction to the Artificial Intelligence Cyber Challenge (AIxCC) | FIRST AI Security SIG |
2024-07-17 | AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 2 | OpenSSF Blogs |
2024-07-16 | "Nearly 1 in 3 software development professionals unaware of secure practices" by David Jones (quoted) | Cybersecurity Dive |
2024-07-10 | AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 1 | OpenSSF Blogs |
2024-06 | Secure Software Development Education 2024 Survey by Marco Gerosa, David A. Wheeler, and Stephen Hendrick. (announcement) | OpenSSF and Linux Foundation |
2024-06-18 | Know Your Regular Expressions: Securing Input Validation Across Languages | OpenSSF Blog |
2024-06-18 | Correctly Using Regular Expressions for Secure Input Validation! | and its rationale (lead author)OpenSSF Guides |
2024-06-06 | GUAC Tech Talk: Proactive Supply Chain Security with Graph for Understanding Artifact Composition (GUAC), Moderator | |
2024-05-13 | "Unlock the Keys to Improved Software Security" | OpenSSF Blog |
2024-04-17, 1:30pm PT | "Linux Learning Lounge: Unlock the Keys to Improved Software Security" | Open Source Summit North America 2024, Seattle, Washington |
2024-04-15..19 | Open Source Summit North America 2024 | Program Committee, Linux Security Summit |
2024-04-11 | Keeping it Real (AIxCC summary video) (X) (LI) (FB) | DARPAtv |
2024-03-20 | "OSS Supply Chain: Challenges & How the Open Source Community Can Help" presentation by David A. Wheeler | SecurityWeek Virtual Supply Chain Event |
2024-03-07 | OpenSSF and CISA Join Forces to Secure Open Source Software by David A. Wheeler, Bennett Pursell, and Dana Wang. | OpenSSF Blog |
2024-02-20 | Comments Submitted by OpenSSF (Facilitator) | Cybersecurity and Infrastructure Security Agency (CISA) Request for Comment (RFC) on its Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software white paper |
2024-02-06 | Time is of the Essence to Mitigate Vulnerabilities like Leaky Vessels (Co-author) | OpenSSF Blog |
2024-02-02 | OpenSSF Champions a More Secure Future in Collaboration with Public Sector | OpenSSF Blog |
2023-12-18 | What’s Next in Open Source Security | OpenSSF Blog |
2023-12-11 | OpenSSF Responds to the CISA RFC on Software Identification Ecosystem Analysis | OpenSSF Blog |
2023-12-05 | OpenSSF details top 10 secure software development principles by Sean Michael Kerner (interview) | SDxCentral |
2023-11-29 | Compiler Options Hardening Guide for C and C++ | OpenSSF Best Practices Working Group (WG) |
2023-11-29 | Strengthening the Fort 🏰: OpenSSF Releases Compiler Options Hardening Guide for C and C++ | OpenSSF Blog |
2023-11-28 | Linux Foundation (LF) Energy on Cybersecurity in Energy Infrastructure: The Value of Open Source Software | OpenSSF |
2023-10-23 | Secure By Design: Guidance from Governments | OpenSSF Blog |
2023-10-18 | Keynote: "Open Source Software Security" | Improve: Security, part of SD Times Continuous Improvement series |
2023-09-25 | Keynote speaker, "Open Source Software Security" | Code.LM (Lockheed Martin’s conference on software development, DevSecOps, Secure Supply Chain, and other software specific topics) |
2023-09-19..21 | Speaker, "Implementing the OpenSSF Best Practices Badges & Scorecards Into Your Project"; Program Committee of SupplyChainSecurityCon; Program Committee of Linux Security Summit | Open Source Summit European Union (EU), Bilbao, Spain |
2023-09-14 | How to report vulnerabilities to LF projects and foundations (lead and primary author of LF policy). Discussion is at What You Need to Know About the Linux Foundation’s New Vulnerability Reporting Policy. | Linux Foundation primary website |
2023-09-12 | CISA's Open Source Software Security Roadmap | OpenSSF Blog. |
2023-09-12 | Secure Open Source Software Vision Brief 2023, lead author | Open Source Security Foundation (OpenSSF) |
2023-08-07 | Open Source Software security | F5 podcast |
2023-06-14 | Secure Software Design and Programming: Artificial Intelligence / Machine Learning | AI/ML Security & OSS (June 14, 2023) potential WG meeting |
2023-05? | Developers are Taking Security Seriously (interview with David A. Wheeler) | Video interview with Swapnil "Swap" Bhartiya, TFiR |
2023-05-08..12 | Program Committee of SupplyChainSecurityCon, Program Committee of Linux Security Summit, OpenSSF Day, Speaker at Open Source Summit | Open Source Summit North America, Vancouver, Canada |
2023-04-27 | SLSA 1.0 is here! What’s it mean for you?, panelist with Isaac Hepworth (Google) | Cloudsmith Webinar |
2023-04-17 | Distinguish between source and vendor | OpenSSF Blog |
2023-04-10 | Securing Open Source Software Projects – David A. Wheeler, Open Source Security Foundation | TechStrong.TV |
2023-04-03 | Workshop participant | US Open Source Software Policy Jam, Arlington, VA |
2023-03-30 | Open Source Software (OSS) Supply Chain Security (slides - select part 2) | C4DT Conference on Software Supply Chain Security, hosted by The Center for Digital Trust, Switzerland |
2023-03-22 | Panelist, Software Supply Chain Leadership Series: Come SLSA with us!" | |
2023-03-16 | How to Get Involved in OpenSSF Working Groups and Projects | OpenSSF Town Hall (virtual meeting) (video) |
2023-03-10 | How OpenSSF Aims to Make Log4j-Like Incidents Rare by Nancy Liu (interviewee) | sdxcentral |
2023-02-28 | "DevOps, Security, and Open Source Software" presentation (sizzle video) | The Big Fix (Livestream) |
2023-02-22 | Co-lead | Virtual Maintainer Summit for Critical OSS Projects |
2023-02-22 | "Open Source Software Security" | Linux Foundation (LF) Edge TAC meeting |
2023-02-15 | "Software Supply Chain Security - Key Terms, Players, and Projects You Need to Know About - Part 2" (The Secure Developer Episode 127) with Guy Podjarny, Simon Maple, Lena Smart, Emily Fox, Aeva Black, Brian Behlendorf, Jim Zemlin, and Dr. David A. Wheeler | The Secure Developer Podcast |
2022-12-23 | Interviewee, Software bills of material face long road to adoption by Elias Groll and John Hewitt Jones | CyberScoop |
2022-12-17 | Open Source Software Security (OpenCode '22) | OpenCode '22, Technical Society of Indian Institute of Information Technology, Allahabad, India |
2022-12-15 | Interviewee, Supporter spotlight: David A. Wheeler on supply chain security | Reproducible Builds project |
2022-12-05..06 | Speaker | OpenSSF Day Japan, part of Open Source Summit Japan 2022, Yokohama, Japan |
2022-12-02 | Speaker/panelist | Trustworthy and Secure OSS, Open Source Workshops for Computing and Sustainability, organised by the European Commission in collaboration with the SWForum.eu Coordination and Support Action, Brussels, Belgium |
2022-11-16 | Speaker (video recording) (announcement) | TechStrong DevOps Experience 2022 (agenda) | 2022-11-16 | OpenSSF Expands Supply Chain Integrity Efforts with S2C2F | OpenSSF Blog |
2022-11-08..11 | Participant | Linux Foundation Member Summit / OpenSSF Governing Board Meeting |
2022-11-07 | Open Source Security Foundation (OpenSSF) Best Practices Working Group (WG) (recorded) | OpenSSF China Summit |
2022-11-03 | "Linux Foundation & Open Source Security Foundation Input to Cybersecurity RFI from the OCND" (Co-author) | Response to the US Office of the National Cyber Director Requests Your Insight and Expertise on Cyber Workforce, Training, and Education RFI |
2021-10-31 | "For More Secure Code, Cybersecurity Needs to Shift Left" by David A. Wheeler | National Initiative for Cybersecurity Education (NICE) Fall 2022 Quarterly eNewsletter |
2022-10-19..20 | Speaker | OSPOlogy.live Workshop, Stockholm, Sweden. This was a "Workshop to help organizations effectively implement Open Source Program Offices (OSPOs) based on specific region needs in Europe. October's Ospology.live is hosted by OSPO at Ericsson and co-organized with TODO, OpenChain, SPDX, CHAOSS and OpenSSF projects." |
2022-10-14 | ‘We don’t teach developers how to write secure software’ – Linux Foundation’s David A Wheeler on reversing the CVE surge (interview of me by Adam Bannister) | The Daily Swig |
2022-10-11 | Securing Open Source Software is Securing Critical Infrastructure (author) | OpenSSF Blog |
2022-10-06 | Security and Open Source Software | Telefonica Meetup |
2022-09-28..29 | Speaker, Open Source Software is Critical Infrastructure pictures: 1 2 | 2022 Critical Infrastructure Security Summit, American Institute of Architects HQ, Washington, DC |
2022-09-27 | The United States Securing Open Source Software Act: What You Need to Know (Act summary) (Co-author) | OpenSSF Blog |
2022-09-21..22 | Securing the software that matters | Open Mainframe Summit 2022, Philadelphia, PA (presentations) |
2022-09-19 | Open-Source Community (presenter/panelist) | NCCOE DevOps Workshop (agenda and bios) by NIST |
2022-09-13 | "A Proposal to Operationalize Component Identification for Vulnerability Management" (co-author) | SBOM Forum (OWASP, Linux Foundation, and many others) |
2022-09-05 | "OpenSSF Launches npm Best Practices" (quoted) | OpenSourceForU |
2022-08-24..25 | Steering Committee and panelist in "Behavioral & Economic Incentives to Secure the OSS Ecosystem" panel | Open-Source Software Security Initiative Workshop, initiated by the White House Office of Management and Budget (OMB), the National Science Foundation (NSF), and the National Institute of Standards and Technology (NIST) (Summary in Recommendations from the Workshop on Open-source Software Security Initiative by Angelos D. Keromytis, Georgia Institute of Technology) |
2022-08-19 | Capital One And Akamai Joins The Open Source Security Group by Laveesh Kocher (quoted) | OpenSourceforU.com |
2022-08-18 | Don’t leave open source open to vulnerabilities (quoted) | VentureBeat |
2022-08-18 | “We have an endemic problem” OpenSSF director warns over secure development (quoted) | The Stack |
2022-08-17 | Capital One, Akamai among 13 organizations added to open source security group (quoted) | SC Magazine |
2022-08-15 | How to get involved in OpenSSF Working Groups and Projects | OpenSSF Town Hall |
2022-08-12 | The missing ingredient in software security: grassroots education | TEISS newsletter. Quote: "I was recently asked, “what’s the role of grassroots education in developing secure software and securing software supply chains?” My answer is “none, because we lack grass.” ... Relatively few software developers know how to develop secure software, or how to secure their software supply chains." Access is no cost but registration is required. |
2022-08-15 | Open Source Security Foundation - David A. Wheeler, Linux Foundation; Interview with Alan Shimel | TechStrong TV |
2022-08-02 | Let's talk Open Source Supply Chain with David A. Wheeler, Linux Foundation | In the Nic of Time with Nic Chaillan, former U.S. Air Force and Space Force Chief Software Officer |
2022-06-23..24 | Program Committee, Linux Security Summit | Open Source Summit - North America, Austin, TX |
2022-06-23 | David A. Wheeler, Linux Foundation | Open Source Summit NA 2022 (interview by Alan Shimel) | TechStrong TV, Digital Anarchist Network |
2022-06-22 | Manage Session Panel Discussion: Summing Up the Summit: OpenSSF’s May 2022 Gathering and Action Plan | Open Source Summit - North America, Austin, TX |
2022-06-21..22 | Program Committee, SupplyChainSecurityCon | Open Source Summit - North America, Austin, TX |
2022-06-20 | Education & Training for Secure Software Development & Distribution (slides) | OpenSSF Day, Austin, TX (schedule, other presentations) |
2022-05-12..13 | Stream 1 (Education) lead and Participant, in response to the Open Source Software Security Mobilization Plan. Images: 1, 2, 3. | Open Source Software (OSS) Summit II, Linux Foundation & US White House, Washington, DC | 2022-05-12 | Open Source Software Security Mobilization Plan that I co-edited and contributed to. | Open Source Software (OSS) Summit II, Linux Foundation & US White House, Washington, DC |
2022-05-11 | Invited Panelist | Wilson Center Roundtable on Open Source, Cybersecurity, and Artificial Intelligence (AI). This was hosted through a collaboration within the Science and Technology Innovation Program. The work is funded by the Alfred P. Sloan Foundation who funds their work on the paradigms of Open Hardware and Open Science. |
2022-04-28 | Introducing Package Analysis: Scanning open source packages for malicious behavior | OpenSSF blog |
2022-04-21 | "Secure Software Development: Discussion for the LFN" (video) (slides) | Linux Foundation Networking (LFN) |
2022-04-08 | Improving Open Source Software Security | FOSSASIA Summit 2022 by FOSSASIA |
2022-03-02 | Census II Context | Linux Foundation (LF) Webinar: Census II of Open Source Software Application Libraries the World Depends On (report) |
2022-02-17 | Security Measures For Critical Software | Office of Information Security (OIS) Lunch and Learn (VA) |
2022-02-08 | Mission:data Hearing Exhibit 300 Answer Testimony of Wheeler Rev. 1 (testimony as an expert witness, on behalf of Mission:data Coalition) | Proceeding 21A-0279E, "In the matter of the application of Public Service Company of Colorado for approval to amend the certificate of public convenience and necessity for its Advanced Grid Intelligence and Security (AGIS) initiative" Colorado Dept. of Regulatory Agencies (Search for Proceeding 21A-0279E) |
2022-02-14 | Securing "the" Open Source (Episode S2E6, David A. Wheeler joins) | Security Unhappy Hour |
2022-02-07 | Investing in Open Source Software (OSS) Security (scheduled) | CERT Vendor Meeting 2022 |
2022-01-13 | Co-author of Linux Foundation / Open Source Security Foundation (OpenSSF) presentation and participant in workshop | (US) White House Software Security Summit |
2022-01-07 | log4j / Log4Shell: What are they & what can we learn? | MIT CAMS (MIT's cybersecurity initiative) weekly research seminar for its community of academics and industry practitioners. |
2021-12-01 | Linux Foundation: Defending the Global Software Supply Chain from Cyberattacks in 2021 (co-author) | Linux Foundation Blog |
2021-11-21 (recorded 2021-11-17) | Episode 298 – David A Wheeler discusses the OpenSSF | Open Source Security Podcast |
2021-11-16 | Panel 2: Enhancing Software and Technology Supply Chain Security | NICE Symposium: A Coordinated Approach to Supply Chain Risks |
2021-11-09..10 | OpenSSF CII Best Practices Badge | Open Source Experience 2021, Paris, France; they're expecting 200 speakers, 70 exhibitors, and 4500 attendees |
2021-10-14 | "Linux Foundation Security Executive Order (EO)" by David A. Wheeler & Kate Stewart | Wind River Learning Session |
2021-10-11 | (Program committee member) | SupplyChainSecurityCon North America, Los Angeles, California + Virtual, hosted by Cloud Native Computing Foundation (CNCF) and the Continuous Delivery Foundation (CDF) |
2021-09-29 | Keynote speaker (image | Open Source Summit + Embedded Linux Conference + OSPOCon, Seattle, Washington |
2021-09-29 .. 10-01 | (Program committee member) | Linux Security Summit (LSS) North America, Seattle, Washington + Virtual |
2021-09-28 | Episode 262: Interview [with David A. Wheeler] | Roaring elephant (podcast), recorded 2021-09-08 |
2021-09-15 | Panelist in Technical Requirements for Software Cybersecurity Labels | NIST Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software |
2021-08-18 | Supply Chain Cybersecurity (Keynote presentation) | Building Cybersecurity into the Software Supply Chain Town Hall Virtual Event; see the video playlist |
2021-08-17 | Cybersecurity Labeling Programs for Consumers of IoT Devices and Software | Linux Foundation's response to the US NIST Workshop and Call for Papers on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software |
2021-08-17 | Quoted in BlackBerry resisted announcing major flaw in software powering cars, hospital equipment | Politico (Cybersecurity area) |
2021-08-10 | Funded open source security work at the Linux Foundation | Linux Foundation blog (post). Quoted in "Get paid to improve Linux and open-source security" by Steven J. Vaughan-Nichols (ZDNet) and "Receive money to improve Linux security and open source software" by Team Security (Bollyinside) |
2021-08-09 | Post-Approval LF Security Funding (typical LF oversight process) | Linux Foundation (LF) |
2021-08-04 | Open Source Software & Supply Chain Security | Open Source Days, hosted by the Academy Software Foundation |
2021-07-29 | Open Source Software & Supply Chain Security (David A. Wheeler and Kay Williams) | Enduring Security Framework (ESF) Software Supply Chain Working Panel |
2021-07-24 (recorded) | Software Bills of Material (SBOMs), Kate Stewart and David A. Wheeler | The Federal Drive with Tom Temin, Federal News Network |
2021-07-20 | Developing secure open source software (OSS) - recording & slides available | Linux Foundation Live (Virtual) Mentoring series |
2021-06-30 | Is Open Source Ready For Biden’s Executive Order For Cybersecurity? | Video interview with Swapnil "Swap" Bhartiya, TFiR (recorded 2021-06-08) |
2021-06-08 | Lead author of LF position papers on criteria for critical software (#1), best practices (#2), the use of critical software (#3), testing (#4), and integrity chains (#5). | Linux Foundation's response to the Call for Position Papers on Standards and Guidelines for Enhancing Software Supply Chain Security (per 2021 US Executive Order on Cybersecurity) |
2021-06-02 | Panel 1: Criteria for Designating Critical Software (speaker and panelist) | Enhancing Software Supply Chain Security: Workshop and Call for Position Papers on Standards and Guidelines (see their Software Supply Chain: Executive Order site |
2021-05-27 | Securing the Software Supply Chain (panel) | Software Delivery Leadership Forum |
2021-05-26 | Software Bill of Materials and uncovering threats in the software supply chain Stuart Phillips, Interos | Kate Stewart, Linux Foundation | David A. Wheeler, Linux Foundation | BrighTALK |
2021-05-20 | Securing the Development & Supply Chain of Open Source Software (OSS) | QCon Plus 2021, May 17-28, 2021 |
2021-05-18 | Critical Update: Do You Know What’s In Your Software? | Nextgov (quoted in article) |
2021-05-14 | How Linux Foundation (LF) communityies enable security measures required by the US Executive Order on Cybersecurity | Linux Foundation blog (post) |
2021-05-11 | Keynote « Open Source Supply Chain Security » | Cyber 4 Open Source webinar, La Securite des Logiciels Open Source (The security of open source software) |
2021-05-06 | "How NOT to do research on an open source community..." by Greg Kroah-Hartman and David A. Wheeler | Discussion, cited by LWN |
2021-05-04 | Securing Open Source (Keynote) | Cloud Native Security Day |
2021-05-03 | OpenSSF Town Hall (esp. "In the News") | Open Source Security (OpenSSF) Town Hall |
2021-04-27 | Open Source Supply Chain Risk Management | NASA’s Information Communication Technology (ICT) Supply Chain Risk Management (SCRM) Service |
2021-04-12 | Fuzzing | TechStrong TV Video Interview hosted by Charlene O'Hanlon with David A. Wheeler, Asra Ali, and Oliver Chang. See also Developers are buzzing on fuzzing. Recorded 2021-03-29. |
2021-04-09 (recorded) | US Government & software supply chain security | Nextgov, interviewed by Staff Correspondent Mariam Baksh, Government Executive Media Group |
2021-03-26 (recorded) | Open Source Security with Dr. David A. Wheeler, episode 91 | The Secure Developer Podcast (Guy Podjarny, Snyk) - via DevSecCon |
2021-03-25 | "Why Won’t Developers Always Just Write Secure Open Source Software?" by Frank Nagle and David A. Wheeler | US NITRD CSIA |
2021-03-03 | "Securing Software Supply Chains" hosted by Derek Weeks, interviewing Brian Fox (Co-founder/CTO Sonatype), David A. Wheeler (Linux Foundation), and Trey Herr (Atlantic Council) | Sonatype |
2021-03-03 2-4pm ET | "Why Won’t Developers Always Just Write Secure Open Source Software?" by Frank Nagle and David A. Wheeler | US Information Security and Privacy Advisory Board (ISPAB) |
2021-02-26 (recorded) | Kim Lewandowski + David Wheeler + John Speed (panel discussion, esp. on Typosquatting, hosted by Charlene O'Hanlon) | TechStrong TV |
2021-02-23 | EXCLUSIVE INTERVIEW: Lessons Learned From the SolarWinds Supply Chain Hack by Jack M. Germain | LinuxInsider |
2021-02-22 | OpenSSF Town Hall (co-presenter) | Open Source Security Foundation (OpenSSF) |
2021-02-09 | David Wheeler + Kim Lewandowski + Santiago Torres-Arias (panel discussion into open source supply chain security, hosted by Charlene O'Hanlon) | TechStrong TV |
2021-01-26 | Episode #212: Security Requires Thinking (His Monkey, His Circus) | Dave & Gunnar Show (audio podcast) (see all my visits there) |
2021-01-22 | "David A. Wheeler - Security Lessons From a Rapidly Evolving Open Source Ecosystem" (audio podcast) | The Balancing Act by Security Compass |
2021-01-20 | Supply-Chain Security: A 10-Point Audit (by Derek Weeks and David A. Wheeler) (video live webcast) (announcement) | threatpost |
2021-01-13 | Preventing Supply Chain Attacks like SolarWinds | Linux Foundation blog |
2020-12-16 | Linux Foundation: Improving Open Source Software Security | FLOSS Weekly podcast #609 |
2020-12-08 | Report on the 2020 FOSS Contributor Survey by Frank Nagle, David A. Wheeler, Hila Lifshitz-Assaf, Haylee Ham, and Jennifer L. Hoffman. | Report from the Linux Foundation and the Laboratory for Innovation Science at Harvard. (press release) |
2020-08-06 | Episode #202: Linux Foundations (interview with David A. Wheeler) | Dave & Gunnar Show (audio podcast) |
2020-07-24 | Managing Risks and Opportunities in Open Source with Frank Nagle & David A. Wheeler | CHAOSS Podcast |
2020-04 | Initial Analysis of Underhanded Source Code | IDA Document D-13166 |
2019-10-12 | CII Best Practices Badge Update | FLOSS Weekly podcast #550 |
2019-09 | A Partial Survey on AI Technologies Applicable to Automated Source Code Generation | IDA NS D-10790 |
2019-06-02 | Metamath: A Computer Language for Mathematical Proofs by Norman Megill and David A. Wheeler | Book, published by Lulu Press. You can get it nearly everywhere (e.g., via Amazon), but getting it directly from Lulu is cheaper. |
2019-03-20 | Railroader (a security static analysis tool for Rails) | FLOSS Weekly podcast #522 |
2019-03-12..14 | CII Best Practices Badge Project in 2019 | Open Source Leadership Summit (a Linux Foundation event), Ritz Carlton Half Moon Bay, Half Moon Bay, California |
2018-12 | A Sample Security Assurance Case Pattern | IDA paper P-9278. Note: E. Kenneth Hong Fong was the project leader but not an author. |
2018-11-05..06 | Approaches to Cyber-Resilience through Language System Design (working title) | High Integrity Language Technology (HILT) International Workshop on Cyber-Security Interaction with High Integrity, Boston, Massachusetts. Organized by the Association for Computing Machinery (ACM) SigAda special interest group. |
2018-07 | Securely Using Software Assurance (SwA) Tools in the Software DevelopmentEnvironmen, David A. Wheeler and Daniel J. Reddy | IDA Document P-9166. Note: E. Kenneth Hong Fong was project leader but not a co-author. |
2018-06-27 | If it works, it's legacy: analysis of legacy code | Sound Static Analysis for Security, NIST, Gaithersburg, MD |
2018-05-23 | Open Source Software & the US Department of Defense | Platform Security Summit, May 23-24, 2018, Fairfax, VA |
2018-05-01 | Secure Software Education & Training: Some thoughts | Software and Supply Chain Assurance (SSCA) Forum, Co-sponsored by the U.S. Department of Homeland Security (DHS), Department of Defense (DoD), National Institute of Standards and Technology (NIST), and the General Services Administration (GSA). May 1-2, 2018, MITRE, McLean, VA |
2018-03-15 | Software Assurance & Software Data Rights: Starting a Discussion | Software Assurance (SwA) Community of Practice (COP), MITRE, McLean, VA |
2018-01-31 | Current and future DoD policies on open source software | DoD Software Development and Release conference, US Army Engineer Research and Development Center, Mississippi |
2017-09-14 | CII Badge Project: 1.5 years later | Linux Security Summit 2017, Los Angeles, California |
2017-08 | The Software Assurance State-of-the-Art Resource (SOAR) [summary] | IDA NS D-8462. This is a summary. For the document see State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016 including its Appendix E. | 2017-06-14 | The State of Open Source Software (OSS) in the US Federal Government | 2017 Open Source Summit: Succeeding with the New Federal Open Source Policy, Open Source Electronic Health Record Alliance (OSEHRA) |
2017-10-31 | Core Infrastructure Initiative (CII) Open Source Software Census II Strategy by David A. Wheeler and Jason N. Dossett | IDA Document D-8777. Note: at the time we determined there were at least 3.26 million significant OSS projects (the number is explained in the paper). |
2016-05-10 | Episode #113: Badge of Open Source Honor | Dave & Gunnar Show (audio podcast) (see all my visits there) |
2016-10-20 | Open Source Software Practices & Principles for Cybersecurity Technology Transition | Open Source Automotive Cybersecurity Research Tools Forum, Cambridge, MA |
2016-10-04 | Linux Foundation Core Infrastructure Initiative (CII) Best Practices Badge | Software and Supply Chain Assurance (SSCA) Forum, Co-sponsored by the U.S. Department of Homeland Security (DHS), Department of Defense (DoD), National Institute of Standards and Technology (NIST), and the General Services Administration (GSA). October 3-5, 2016 |
2016-09-21 | Linux Foundation Core Infrastructure Initiative (CII) Best Practices Badge (keynote) | OW2 Conference 2016, Paris, France |
2016-11 | State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016 including Appendix E by David A. Wheeler and Amy E. Henninger. | IDA Paper P-8005 |
2016-08-09 | Metamath Proof Explorer (MPE): A Modern Principia Mathematica | Youtube video |
2016-06-28 | Core Infrastructure Initiative (CII) Best-Practices Badge Criteria | IDA NS D-8054 |
2016-05-24 | Best Practices Badge | FLOSS Weekly podcast #389 |
2016-03-31 | Census and Badging | Linux Foundation Collaboration Summit, Resort at Squaw Creek, Lake Tahoe, CA |
2015-10-24 | Using an Open Source Software Approach for Cybersecurity Technology Transition | IDA Paper P-5279 |
2015-10-23 | Open Source Software | OpenHatch at Mason, George Mason University (GMU), Fairfax, VA. (Organized with the Mason Student-Run Computing and GMU GNU/Linux User Group). OpenHatch itself is a "non-profit dedicated to matching prospective free software contributors with communities, tools, and education". |
2015-06-30 | Software SOAR | Information Assurance Symposium (IAS), Washington Convention Center, Washington DC |
2015-06-23 | Preventing Heartbleed and other topics | Linux Foundation (LF) Core Infrastructure Initiative (CII) |
2015-06-19 | Open Source Software Projects Needing Security Investments by David A. Wheeler and Samir Khakimov (alternate location) (OpenSSF landing page with link to Census I) | IDA Document D-5459 (aka "Census I") |
2015-04-22, 08:00 | Countering Development Environment Attacks | RSA Conference (USA 2015), San Francisco, CA (along with Dan Reddy) |
2015-02-19 | Software SOAR | Boeing BMA |
2014-08-13 | Heartbleed 101 by Marco Carvalho, Jared DeMott, Richard Ford, and David A. Wheeler. | IEEE Security & Privacy, Volume 12, Issue 4, 2014-08-13, pp. 63-67, ISSN DOI 10.1109/MSP.2014.66. |
2014-08 | Preventing Heartbleed by David A. Wheeler (article) | IEEE Computer, Volume 47, Issue 8. August 2014. pp. 80-83. |
2014-06-24 | Preventing Heartbleed. | Content Understanding Forum: Industry's Promising Practices Institute for Defense Analyses (IDA). Note: Jeff Hawkins (founder of Numenta) also presented; there have been some amazing advances in our understanding of the brain. |
2014-06-10 | David A. Wheeler on the Current State of Application Security (audio no longer available) | Interview by Trusted Software Alliance |
2014-05-20 | Episode #51: A Visit with the Doctor | Dave & Gunnar Show (audio podcast) |
2014-02-25, 18:30-21:00 | (Interview of me) "US government accelerating development and release of open source" by Mark Bohannon | Opensource.com |
2014-02-25, 18:30-21:00 | Open Source Software and Government | American Society for Quality, Washington, DC and Maryland Metro section 509, Software SIG meeting, MITRE-1, 7525 Colshire Dr, McLean, VA 22102 |
2013-12-18 | Software (security) state-of-the-art resource (SOAR) | Software and Supply Chain Assurance (SSCA) Work Group, MITRE-1, 7525 Colshire Dr, McLean, VA 22102 |
2013-12-03 | Software (security) state-of-the-art resource (SOAR) | SINET 2013 at National Press Club, Washington, DC |
2013-11-07 | Cyber Attack Attribution Techniques | National Defense Industrial Association (NDIA), Cyber division meeting |
2013-11-06 | Software Assurance (SwA), Supply Chain Risk Management (SCRM), and Open Source Software | Defense Acquisition University (DAU), Ft. Belvoir, VA. |
2013-09-19 | Homeland Open Security Technology (HOST). | Software and Supply Chain Assurance forum (SSCA), Mclean, VA; hosted by DoD and DHS. I was standing in for Daniel Massey, the HOST Program Manager. |
2013-09-17 | Software Assurance (SwA), Supply Chain Risk Management (SCRM), and Open Source Software | Defense Acquisition University (DAU) PAX River, California, MD, 20619 |
2013-09-16 | Open source software panel | Department of Homeland Security (DHS) S+T PI Meeting |
2013-09-10 | Open Source and Security | Government Innovators Virtual Summit, GovLoop |
2013-09-06 | Open source software and security | [Electrical] Grid Open Source Software Alliance (GOSSA), National Rural Electric Cooperative Association, Arlington, VA |
2013-09-04, 1330-1415 | Open source software and intellectual property (IP) management | Open Source Electronic Health Record (EHR) Summit & Workshop, Bethesda, Maryland; sponsored by the Open Source Electronic Health Record Agent (OSEHRA) |
2013-09 | Parallel Compilation on Virtual Machines in a Development Cloud Environment | IDA Document D-4996 |
2013-08-14 | Keynote presentation: How to Open Source in Government | Drupal4Gov 2013, Washington, DC |
2013-08-13 | What is Open Security? | IDA NS D-4993 |
2013-08 | Case Study: OpenSSL 2012 Validation | IDA Document D-4991 |
2013-05-22 | Running Open Source Software projects | Open Source Software for the Smart Grid Workshop, Houston, TX |
2013-05-09, 0900-1200 (EDT) | Open source software | “Open Source License Clinic” Hosted by the non-profit Open Source Initiative (OSI). Library of Congress, 101 Independence Ave SE, Madison Building, 6th Floor, Dining Room A, Washington, DC 20540. |
2013-03-04 | "Open Source Software, Government, and Cyber Security" (presentation) | Association for Computing Machinery (ACM), Washington, DC Chapter. 1203 19th St, 3rd Floor, Washington, DC. |
2013-01-14 | Open Source Software in Government Challenges and Opportunities (and) OpenSSL 2012 FIPS 140-2 Validation #1747 Case Study | DHS Industry Day 2013, Maritime Institute Conference Center, Linthicum, Maryland |
2012-10-23 | Innovation panel (with Christopher Dale, Matt Micene, and Michael Tiemann) [picture] [picture] [article] | Red Hat Government Symposium, Washington, DC |
2012-10-18 | Security and Open Source Software | Open Cybersecurity Summit, Schafer Conference Center, Washington, DC |
2012-10-17 | Open Source Software and the U.S. Department of Defense | Open Source Electronic Health Record Agent (OSEHRA), Gaylord Convention Center, National Harbor, Maryland |
2012-10-15..16 | Navigating Laws & Regulations on OSS; OSS in Government: Challenges & Opportunities | Military Open Source Software (MIL-OSS) Working Group 4 (WG4), Arlington, Virginia |
2012-09-20 | Homeland Open Security Technologies (HOST): Leveraging Open Source Software in Support of National Cyber Security Objectives | Software Assurance (SwA) forum (sponsored by the Department of Defense (DoD) and Department of Homeland Security (DHS)), McLean, VA |
2012-08-29 | Countering Vulnerable/Obsolete Software Libraries | Diminishing Manufacturing Sources and Material Shortages (DMSMS) & Standardization 2012, New Orleans, LA (Cancelled due to hurricane) |
2012-07-31 | Software Assurance (SwA), Supply Chain Risk Management (SCRM), and Open Source Software | Defense Acquisition University (DAU), Ft. Belvoir, VA. |
2012-07-17 | 5 Questions with David A. Wheeler by Melanie Chernoff | Opensource.com |
2012-06-21 | Releasing software or software changes developed with federal government funding - deciphering contracts/laws so you can build your community | Open Source Summit 2012 (hosted by NASA, the Veteran Affairs Innovation Initiative (VAi2), and the State Department), University of Maryland, College Park, MD. |
2012-06-19 | Software Assurance (SwA), Supply Chain Risk Management (SCRM), and Open Source Software | Defense Acquisition University (DAU), Ft. Belvoir, VA. |
2012-06-07 | Lessons Learned: Roadblocks and Opportunities for Open Source Software (OSS) in U.S. Government (GovLoop) | GovLoop (Webinar) [FierceGovernment coverage] |
2012-05-30 | OSS Licensing; Challenges and Opportunities | OSSI Industry Day, JHU APL, 11100 John Hopkins Road, Laurel, MD (starts 7:30am) |
2012-05-16 | Receipt of the "Outstanding Adjunct Faculty Award" for my work teaching the graduate course "Secure Software Design and Programming" (SWE 781/ISA 681). | George Mason University (GMU) Department of Computer Science, Celebration & Awards Dinner, Fairfax, VA. |
2012-04-19 | Open Source Software: U.S. Government and Security | Rensselaer Polytechnic Institute (RPI), Troy, NY |
2012-04-12 | The State of Open Source in the Federal IT Landscape | FOSS4G North America 2012, Washington, DC |
2011-11-09..11 | Keynote | ApacheCon North America 2011, Vancouver, British Columbia, Canada |
2011-09-22 | Security and Open Source Software | Open Source Software and the Military Health System, Virginia Tech Research Center, Arlington, VA |
2011-08-30.. 2011-09-01 | Open Source Software | Military Open Source Software (MIL-OSS) WG3, Atlanta, GA |
2011-08-23 | Open Source Software (OSS) and Total Cost of Ownership (TCO) | Government Open Source Conference (GOSCON) 2011, part of Innovation Nation 2011, Washington Convention Center, Washington, DC. My talk on financial issues followed Dr. Alan Greenspan — talk about pressure! The tagline was "Shake IT up"; an earthquake halted the conference early, so I guess they really meant it. |
2011-04-06 | Open Source Software and the DoD | FLOSS Weekly #160, an interview of me by Randal Schwartz and Simon Phipps |
2011-03-29 | Open Source Software: What is possible? | NASA Open Source Summit 2011, Ames Research Center, Mountain View, CA. O'Reilly Radar posted a summary. |
2011-03-23 | Open Source Software (Look at the Numbers!) | Palmetto Open Source Software Conference (POSSCON) 2011, Columbia, SC |
2010-08-02..05 | Open Source Software and Security | MIL-OSS 2010, Washington, DC |
2010-06-26 | Open Source Software | CENDI, the Law Library of Congress, and the Federal Library and Information Center Committee Open Source Software and Copyright: Legal and Business Considerations for Government Use, Library of Congress, Madison Building, Washington, DC |
2010-06-15 | Expert Witness on "Planning for the Future of Cyber Attack Attribution" | U.S. House of Representatives, Committee on Science & Technology, Subcommittee on Technology & Innovation [transcript] [report] [picture] |
2010-04-24..26 | Open Source Software and Security (includes some info on Open Proofs) [ODP] [PDF] | Free/Open Source Software Technologies (FOSST), King Abdulaziz City for Science and Technology (KACST), Riyadh, Saudi Arabia |
2009-11-23 | Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) | Innovation Hall room 105, George Mason University (GMU), Fairfax, VA |
2009-11-05 | Open Source Software. | GOSCON, Ronald Reagan Building and International Trade Center, Washington, DC. |
2009-08-12..13 | Open Source Software panel discussion, open proofs | Mil-OSS, Atlanta, GA. |
2009-06-18 | Open Source Software panel discussion | NRO CTO conference (panel discussion along with Dan Risacher (DoD), Michael Tiemann (Red Hat), and John Scott) |
2008-09-24 | Software Assurance and Open Source Software | FASTER group, National Coordination Office (NCO) for Networking and Information Technology Research and Development (NITRD). NCO/NITRD is the primary mechanism by which the U.S. Government coordinates its unclassified networking and information technology (IT) research and development (R&D) investments. |
2008-08-08 | Open Proofs | Defense BarCamp |
2008-06-12 | Securing Open Source Software [ODP] | OWASP (Northern Virginia), Herndon, VA |
2008-05-07 | Securing Open Source Software | 8th Semi-Annual Software Assurance Forum, May 6-8, 2008, Sheraton Premiere, Tyson's Corner in Vienna, Virginia. |
2008-02-11 | Open Source Software and the DoD | Data & Analysis Center for Software (DACS) series. "Open source software (OSS) has become widespread, but there are many misconceptions about it - resulting in numerous missed opportunities. This presentation will clarify what OSS is (and isn't), rebut common misunderstandings about OSS, discuss the relationship of OSS and security, discuss how to find and evaluate OSS, and explain OSS licensing (including how to combine products and select a license). It will show why nearly all extant OSS is COTS software, and thus why it's illegal (as well as foolish) to ignore OSS options." |
2007-12-11..12 | (1) OSS Licensing and (2) Security and Open Systems / Open Source | 3rd DoD Open Conference: Deployment of Open Technologies and Architectures within Military Systems |
2007-07-23 | What's Ahead for OSS and DoD | The Open Group, Real-time and Embedded Systems Forum, Austin, TX |
2007-03-14 | Open Source Software (OSS) [for government acquisitions] [PDF] [ODF] [PPT] [OGG] [MP3] [FLAC] [As text] | Open Source - Open Standards - Open Architecture: DoD Open Technology Development and Open Source Geospatial Software by the non-profit Association for Enterprise Integration (AFEI), a member of the National Defense Industrial Association (NDIA) family of associations. Held at the Hyatt Hotel Crystal City, Arlington, VA. I was the only person on the panel who wasn't directly employed by the U.S. government. My presentation appears to have inspired a Navy policy memo on OSS. |
2006-12-12 | FLOSS and Software Assurance / Security | Towards a Transparent Acquisition Marketplace for Increased Mission Agility with Open Technology Development, sponsored by the U.S. GSA. Held at the National Science Foundation (NSF) in Rosslyn, VA. An organizer said, "Thank you for your superb presentation and contribution." |
2006-07-12 | "Open Standards and Security (and OpenDocument too)" | Columbia LUG. HP building, 8890 McGaw Rd Ste 100, Columbia, MD. |
2006-07-08 | Free-Libre/Open Source Software (FLOSS) and Security | NovaLUG. Washington Technology Park/CSC (formerly Dyncorp), 15000 Conference Center Drive, Chantilly, VA. |
2006-05-17, 19:00 | "FLOSS and security." | DCLUG. 2025 M Street NW, Washington DC. |
2006-04-26, 14:00 | Open source software and security (plenary speaker) | The Open Group's "Architecting to the Edge" conference. Hilton Crystal City, Crystal City, Arlington, VA. Allen Brown (CEO and President) wrote, "The Washington meeting was one of our best-attended conferences ever... We couldn't have have made it one of our most successful events without your participation, contribution and confidence". |
2006-04-04 | Open Standards and Security [ODF] [OGG] [MP3] [FLAC] | LinuxWorld 2006's "Government Day" focusing on open standards, Boston, MA. See my commentary. NewsForge reported on my talk, saying: "Of all the speakers I heard, two really made me sit up and pay attention... [one was David Wheeler, who] spoke in parables to illustrate just what open standards are and why they are important for IT infrastructure security... Through this talk I began to see how base standards in hardware and software could allow vendor innovation while preventing vendor lock-in." |
2006-03-02 | Countering Trusting Trust through Diverse Double-Compiling | George Mason University (GMU), Fairfax, VA. (An interactive lecture about my ACSAC paper.) |
2005-12-05 | Countering Trusting Trust through Diverse Double-Compiling | Annual Computer Security Applications Conference (ACSAC 2005), Tucson, Arizona. I describe and discuss a new approach to counters the "uncounterable" Trusting Trust attack, including an experiment that shows it works. Lots of people noticed this paper; Bruce Schneier even has a lengthy article about my paper, saying, "This [Trusting Trust] attack has long been part of the lore of computer security, and everyone knows that there's no defense. And that makes this paper by David A. Wheeler so interesting." |
2005-10-11..12 | Session Lead, Tools | Open Web Application Security Project (OWASP) Application Security (AppSec) 2005 conference, NIST, Maryland |
2005-06-03 | "Why Free-libre / Open Source Software? Look at the Numbers!" | "6th International Free Software Forum" / Fórum Internacional Software Livre (FISL) Porto Alegre, Brazil. My travelogue of FISL 2005 in Porto Alegre, Brazil got a lot of press, including a prominent citation in Groklaw. (The paper "Why OSS/FS? Look at the Numbers!" is also available.) |
2004-10-27 | "Security and Open Source Software". | "Open Source Enterprise Solutions Conference" of the Tech Council of Maryland, Rockville, Maryland. My blog entry on this Tech Council of Maryland talk has more information. Interestingly, a large number of FLOSS security projects (both commercial and non-commercial) are based on Maryland. |
2004-04-07 | (Interview) "How useful are 'proprietary vs. open source' TCO studies?" by Robin 'Roblimo' Miller | NewsForge |
2004-03-16 | "Open source software and security" | Open Source in Government Conference 2004 (sponsored by the U.S. General Services Administration (GSA) and The Center of Open Source & Government of George Washington University), Washington, DC. My blog entry has more info. |
2004-03-11 | "Evaluating OSS/FS Programs." | At the conference "You Paid What? A Workshop On Full Cost Accounting Methodology For Information Technology Projects In The Public Sector", Ottawa, Canada. |
2004-02-03 | "What Should Governments Examine in Acquiring COTS Open Source Software (OSS)?" | Web-enabled Government conference, Ronald Reagan building, Washington, DC (a repeat of the very successful LinuxWorld January 2004 panel). |
2004-01-22 | "What Should Governments Examine in Acquiring COTS Open Source Software (OSS)?" | LinuxWorld, New York City's Javits center. Blog entry. |
2003-12-11 | Security, Open Source, and Ada (Keynote speaker) | SIGAda 2003, San Diego, CA. |
2003-02-20, 19:00 | Secure Programming for Linux and Unix HOWTO | University of Baltimore, Baltimore, MD. |
2002-08 | "Under the Brim Interview with David A. Wheeler" by Jeremy Hogan | "Under the Brim" (Red Hat's electronic magazine) |
2002-02-16 | Secure Programming for Linux and Unix HOWTO | Free and Open Source Software Developers' European Meeting (FOSDEM 2002) conference, Brussels, Belgium. See my FOSDEM 2002 Travelogue. |
2001-12-25 | "David A. Wheeler's interview" | FOSDEM 2002 interviews (these were interviews of people who were scheduled to speak at FOSDEM 2002) |
2000-02-28 | Linux Security Interview with David A. Wheeler by Brittany Day | Linuxsecurity.com |
Locations are in the United States of America (USA) unless otherwise noted.
I've given other public presentations besides these, but haven't gotten around to listing them.
Feel free to see my home page at https://dwheeler.com.