The Software Assurance Marketplace (SWAMP) is an open, no-cost, high-performance computing platform designed to serve as a resource to the software community. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software (applications, libraries, etc.), the ultimate goal of the SWAMP is to provide higher quality and more secure software for government agencies, businesses, academia, and end users. The SWAMP was developed to lower the barriers for software and tool developers, researchers, and educators/students (Audience/User Groups) to do continuous software assurance. By offering multiple software analysis tools and a library of software applications with known vulnerabilities, the SWAMP is committed to making it easier to integrate security into the software development life cycle.
There are two ways to use the SWAMP: the ready-to-use cloud computing platform at mir-swamp.org and the SWAMP-in-a-Box (SiB) open-source distribution downloadable from GitHub. The SWAMP (mir-swamp.org) went live in February 2014 and is hosted at the Morgridge Institute for Research in Madison, Wisconsin. This shared, secure facility offers advanced networking capabilities and robust hardware to meet the continuous assurance needs of multiple software and tool development projects. Coupled with HTCondor, an open-source workload scheduling and compute management system, the SWAMP provides a powerful and easy-to-use environment to support high-volume continuous software assurance across a broad set of platforms that are embedded in a distributed environment. We provide an environment that enables run isolation and additional platform version choices. These machines are provisioned in a flexible, secure network setting that provides unique configurations to support and scale to meet the needs of the most demanding testing scenarios.
Since software security testing requires the use of multiple tools to perform a comprehensive analysis, the SWAMP hosts a wide library of both commercial and open-source assurance tools to enable software projects of any size to be thoroughly and quickly tested for weaknesses. The SWAMP provides access to an integrated results viewer that compiles and prioritizes all of the test results into one central platform. This allows users to easily visualize the detected security weaknesses from all of the tools used and quickly remediate the most critical defects. By incorporating the SWAMP into the software development life cycle, it is easier to find vulnerabilities before that software is deployed for use or released to the public.
The SWAMP hosts over 500 open-source software packages, serving as a testing laboratory for tool developers to enhance both the precision and scope of their tools. Tool developers can contact the SWAMP to upload their tools and test the effectiveness of their tools against the curated packages available in the SWAMP. As a collaborative platform that is being used for research, anonymized data from SWAMP activities can be used to improve the state of software assurance as a whole.
BAA & Motivational History
The idea for the SWAMP originated when the Department of Homeland Security Science and Technology Directorate (DHS S&T) published the Cyber Security Research and Development Broad Agency Announcement (BAA) 11-02, specifically Technical Topic Area (TTA) #14, in January of 2011. A BAA is the method used by United States government agencies to contract for basic and applied research, scientific study, and experimentation directed toward advancing the state-of-the-art or increasing knowledge or understanding (48 CFR 35.106(a)).
According to BAA 11-02, the Nation’s critical infrastructure, businesses, and services are increasingly controlled and enabled by software. Vulnerabilities in that software put those resources at risk. In addition, the overall stability, reliability, and resilience of software as a whole have not kept pace with the increasing demands of today’s business environments. This BAA was issued to discover new and innovative methods, services, and capabilities in test and evaluation activities to improve the quality and reliability of software used in the Nation’s critical infrastructures.
To develop the SWAMP, a unique team of experts in high-throughput computing, identity management, and cybersecurity was assembled. The SWAMP was created to meet the urgent need for a comprehensive test and evaluation service that applies a broad array of new and existing analysis tools to software across relevant platforms and environments. The SWAMP was designed to:
- Help advance the quality and adoption rate of software assurance tools,
- Lower the barriers to do continuous software assurance, and
- Make it easier to interpret and use the resulting output from software assurance tools.
Following build and beta-testing phases, the SWAMP reached Initial Operating Capability (IOC) in February 2014. To meet the higher security requirements of certain groups of users, SWAMP-in-a-Box was introduced in September 2016.
The SWAMP is funded by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency, Cyber Security Division (DHS S&T/HSARPA/CSD); BAA 11-02; and Air Force Research Laboratory, Information Directorate under agreement number FA8750-12-2-0289.