Software developers will find the SWAMP’s continuous assurance services to be a valuable resource in the software development life cycle. Instead of running individual assessments separately in different windows, developers can run multiple software analysis tools simultaneously in the SWAMP, resulting in greater efficiency and time savings. The SWAMP also works together with repositories, like GitHub, to quickly register and assess code.
The SWAMP’s central viewer, Code Dx™, is a software assurance analytics tool provided by Code Dx, Inc. Code Dx™ simplifies the remediation process by normalizing and prioritizing the vulnerabilities from all of the disparate tools used. This makes it easier for developers to identify, prioritize, and remediate exploitable weaknesses in their code, such as injections, buffer handling, and web deceptions.
The SWAMP provides other unique capabilities specifically designed for Software Developers.
- Reduce Vulnerabilities and Weaknesses, and Increase Quality. Software developers can use the software assurance tools in the SWAMP to assess their software for weaknesses and fix these problems before releasing their software. Eliminating security and quality issues early in the development process reduces development costs and increases the return on investment (ROI), whereas, fixing a bug or security issue after a release reduces the ROI and could potentially lead to a negative reputation.
- Simplify the Application of Software Assurance Tools. There are large human costs associated with selecting, acquiring, installing, configuring, maintaining, and integrating a software assurance tool into the development process. These costs can increase exponentially when using multiple tools. Using the SWAMP eliminates this overhead, as the SWAMP staff and tool providers manage the tools, and the SWAMP automates the application of the tools. A software package developer simply makes software available for assessment in the SWAMP and then selects the desired tools for the analysis. Results from multiple tools can be displayed concurrently using the Code Dx™ results viewer.
- Enable Continuous Software Assurance. The SWAMP supports continuous software assurance for developers by scheduling software package assessments on a recurring basis, for example, nightly. Before each assessment begins, the current version of the software package is associated with the assessment run and assessed using a pre-configured set of tools. Users can quickly check the status of their upcoming, ongoing, and completed assessments along with results of successfully completed assessments. Users can also choose to be notified via email when an assessment run finishes. By comparing results from one assessment to another, the software package developer can easily detect regressions or improvements between versions.
Software Assurance Tool Developers
Tool developers and researchers aiming to improve the quality of software assurance tools can use the SWAMP as an online laboratory. The SWAMP hosts over 500 open-source software packages with known vulnerabilities to enable tool developers to enhance both the precision and scope of their tools. A majority of the open-source software packages come from the National Institute for Standards and Technology (NIST) Juliet Test Suite.
The SWAMP offers other benefits to tool developers.
- Reduce False-Positives. The SWAMP allows tool developers to compare the results from their tool line-for-line with the results from other tools. Using this information, the developer can judge whether their tool is appropriately reporting a weakness. Weaknesses identified by the developer’s tool that are not reported by other tools can significantly help to the tool developer to reduce false-positives.
- Improve Tool Coverage. A key measure of the effectiveness of a software assurance tool is how well it identifies real weaknesses, or true-positives, in software. Knowing the weaknesses not reported by the developer’s tool that are identified by other tools can can help the tool developer to increase tool coverage or tune their tool for reporting only true-positives.
- Encourage Community Input. By making a tool available to other SWAMP users, the tool developer encourages the community to provide valuable feedback on ways to improve the tool.
- Enable Continuous Software Assurance. The SWAMP supports continuous software assurance for tool developers by scheduling software package assessments on a recurring basis, for example, nightly. Before each assessment begins, the current version of the tool is run against a pre-configured set of packages and/or test suites. Users can quickly check the status of their upcoming, ongoing, and completed assessments along with results of successfully completed assessments. Users can also choose to be notified via email when an assessment run finishes. By comparing results from one assessment to another, the tool developer can easily detect regressions or improvements between versions of their tool.
If you are a tool developer interested in adding a tool to the SWAMP, send a request to firstname.lastname@example.org with a brief description of your tool and your contact information.
Infrastructure managers bring new technologies into their organizations. Increasingly, this means incorporating open-source software into a networked environment where bugs, defects, or vulnerabilities can create a window of opportunity for unintentional and malicious attacks. Assessing the quality and security of software before it is deployed is a critical step in reducing security risks. Infrastructure managers can use the SWAMP as an evaluative tool before deploying new technologies or to assess existing software packages for security problems prior to being released.
Since the SWAMP supports the selection of multiple software analysis tools and simultaneous assessments, infrastructure managers could experience significant time savings. The human cost to conducting software assurance is the effort required to select, acquire, install, configure, maintain, and run these tools on the software prior to deployment. The SWAMP staff manages most of these tasks, making it possible for infrastructure managers to simply view the results of software that others assessed in the SWAMP. The SWAMP lowers the costs of software assurance, increasing the return on investment.
The SWAMP offers other incentives for infrastructure operations.
- Help Manage Risks Associated with Deployed Software. Infrastructure managers can evaluate the risks of using certain software by using the results of software assurance tools to determine the software’s security and quality. Results from the SWAMP can also provide metrics to encourage software suppliers to improve the quality and security of their software.
- Leverage Community Input to Improve Software Quality. Commonly deployed software can be assessed by the software developer or user community. The SWAMP gives outside developers the capability to test open-source code prior to incorporating it into their own code.
- Improve Visibility to Changes in Deployed Software. Continuous software assurance is the automated, repeated assessment of software by software assurance tools. As new tools are added to the SWAMP, deployed software will be analyzed with improved rigor, identifying potential problems that need to be addressed by the software provider. As new versions of software are released, the SWAMP will quickly identify changes in deployed software that will better inform infrastructure managers about key areas of interest impacting their organization.
Educators and Students
Today’s educators are looking for resources to teach their students the skills needed to navigate in a software-driven society. From learning how to write more secure code to discovering and mitigating software application vulnerabilities, the SWAMP is a no-cost resource that educators are using to help today’s students learn more about software security and acquire valuable skills before entering the workforce.
The SWAMP provides the following unique capabilities for educators and students:
- Efficient Environment for Both Instructor and Student. The SWAMP provides an environment that automates much of the burden of assessing a software package and viewing the results. This includes building the software package, applying the software assurance tool, and viewing the results in a straightforward way. With this efficiency, educators can devote more time to teaching core software assurance concepts instead of the operational aspects of performing an assessment. The SWAMP is also a collaborative environment that supports team-training and class projects.
- Access to Multiple Pre-Installed Tools, Packages, and Platforms. Students and educators have access to a broad set of assessment tools that cover a variety of languages, operating systems, and software packages. The SWAMP also hosts software applications with known vulnerabilities that can be used as effective teaching tools, enabling educators to create interesting and engaging class assignments with little effort.
- Support for Custom Tools and Packages. While the SWAMP provides multiple pre-loaded tools and packages, students and educators can upload their own custom tools and packages to demonstrate specific software assurance principles or to assess corrected versions of existing software packages.
- Demonstrating the Value of Continuous Software Assurance. Educators can demonstrate the value of continuous software assurance by incorporating the SWAMP into software development projects with students or fellow researchers.
Since working with educators and future developers is so important to us, we created a dedicated support team. We would love to work with you to understand your class goals, to help set up your projects, and to assist in understanding the results delivered by the tools. Contact the SWAMP to get started.
More resources for software security education: cert.org/curricula.