Frequently Asked Questions
Q: What is the SWAMP?
A: The Software Assurance Marketplace (SWAMP) is an open facility that is designed, built, and operated by four research institutions. The SWAMP provides no-cost access to an array of open-source and commercial software analysis tools. The SWAMP also includes a library of open-source applications with known vulnerabilities to help tool developers improve the effectiveness of their analysis tools. One of the main goals of the SWAMP is to provide an open marketplace of software packages and analysis tools, with the ability to control how packages, tools, and expertise are shared with the entire software community. With the computing capacity required to support continuous assurance, the SWAMP provides the automation to continuously run multiple analysis tools against software packages. Results are viewable in an integrated results viewer that offers the developer the capability to view weakness reports with integrated CWE (common weakness enumeration) data from multiple tools.
All SWAMP activities performed by users are confidential. Users have the option to share software packages and assessment results with other SWAMP users and can choose to form groups through a project.
The ultimate goal of the SWAMP is to promote continuous assurance technologies and practices through an open and collaborative framework that protects confidential data and facilitates sharing, thus, making it easier for software developers to adopt continuous assurance practices.
Q: Who owns the SWAMP?
Q: What is SWAMP-in-a-Box (SiB)?
A: The Software Assurance Marketplace (SWAMP) provides continuous software assurance capabilities to developers and researchers. For users that need or prefer to run software assurance tools on their own computing infrastructure, the SWAMP offers a standalone software application called “SWAMP-in-a-Box” (SiB). The SiB application can be deployed on your own servers if you have higher security or compliance requirements for your software, or, being open-source, when you want to customize the software. SWAMP-in-a-Box is available for download on GitHub at https://github.com/mirswamp/deployment. More information can be found at https://continuousassurance.org/swamp-in-a-box/.
Q: Can SWAMP-in-a-Box (SiB) operate without internet access or a network connection?
A: Yes, SWAMP-in-a-Box can be configured to run assessments without needing access to the internet or an external network connection. This requires software packages to build without access to the internet (or be pointed to an internal repository). Internet access is required to install SiB and download dependencies as part of the installation process. See the SWAMP-in-a-Box Administrator Manual for the necessary configuration and a detailed list of dependencies. If a tool requires updates from the National Vulnerability Database (NVD), then you will need to create a snapshot of the NVD for the tool to access while assessing a package.
Q: How does SWAMP fit into my current development process?
A: The SWAMP offers a Java command line interface, a GitHub webhook, and plug-ins for Eclipse, Git/Subversion, and Jenkins to integrate into your software development lifecycle and to support continuous integration. The plug-ins allow assessments with any of the tools supported by the SWAMP. Results can be viewed directly in the SWAMP/SWAMP-in-a-Box, or for Eclipse and Jenkins, directly within the product. Each plug-in requires a valid SWAMP account.
Q: What kind of static analysis code tools can be used in the SWAMP?
A: Currently, the SWAMP offers the following open-source and commercial static analysis tools: List of Tools Available in the SWAMP. Some commercial tool vendors have also partnered with the SWAMP to support a “bring your own license” model for their tools to work with SWAMP-in-a-Box. The SWAMP will continue to add support for additional open-source and commercial tools throughout the life of the project.
The SWAMP welcomes input from users on software analysis tools they would like to see in the SWAMP. User input, comments, or suggestions can be made at firstname.lastname@example.org.
Q: Can I bring my own tool into the SWAMP?
A: If you would like to use or offer your own software analysis tool in the SWAMP, contact us at email@example.com. We are happy to work with you to integrate your tools. Adding a tool to the SWAMP is a manual process, requiring many parts to work in concert and be performed without human interaction by the SWAMP code, including installation of the tool on the SWAMP’s available platform, configuration of the tool, operation of the tool, and conversion of the tool results into the SWAMP’s result format.
Any tool uploaded to the SWAMP is assumed to be private unless you decide to release it to the public.
Note that before a tool can be integrated, the SWAMP must support the platform (OS) required for your analysis tool and the programming language that your tool can analyze. Both of these potential limiting factors can be addressed and resolved in a timely manner within reason.
Q: How do I access commercial tools in the SWAMP?
A: If you would like access to a commercial tool supported in the SWAMP, you must first request permission. Follow the instructions below:
- Log in to your SWAMP account.
- Click on your SWAMP username in the top right corner of the page to go to your account.
- Select the Permissions tab.
- For each tool you would like access to use in the SWAMP, select the Request button on the right.
- Fill out and submit the form.
- A member of the SWAMP team will follow-up with the commercial tool vendor for authorization. The vendor may reach out to you with questions.
- Once authorization has been received from the tool vendor, your access will be granted to use the commercial tool in the SWAMP.
To add-on and access commercial tools with SWAMP-in-a-Box using the “bring your own license” model, review the SWAMP-in-a-Box Administrator Manual.
Q: How do I use the BugInjector test suite from GrammaTech in the SWAMP?
A: To run software assessments of the BugInjector test cases, you will need to be signed in to the SWAMP at mir-swamp.org. The BugInjector test cases can be found on the Resources page under Packages. After selecting a package and version containing a CWE of interest, you can run an assessment of the chosen “bug injected” software using one or more software assurance tools. GrammaTech CodeSonar® is one of the commercial tools that is integrated into the SWAMP, along with many other open source static analysis tools. (See above for obtaining access to commercial tools in the SWAMP.) You can also download BugInjector test cases to run against a tool you are developing or using outside of the SWAMP.
Q: Which programming languages and operating systems (OS) are supported?
A: The SWAMP welcomes input from users on programming languages and platforms/operating systems (OS) they would like to see in the SWAMP. User input, comments, or suggestions can be made at firstname.lastname@example.org. The SWAMP will continue to add support for additional programming languages and platforms throughout the life of the project.
Current platforms (OS) supported by SWAMP are: List of Platforms/Operating Systems Available in the SWAMP. At this time, the SWAMP supports several different flavors and versions of Linux, plus Android.
Q: Does the SWAMP support Red Hat Enterprise Linux (RHEL) as a platform?
A: Minimal testing has been done with RHEL 6 and 7 as a host OS to run SWAMP-in-a-Box. Due to licensing and distribution issues, we do not provide a RHEL image that can be used to run assessments within the SWAMP or SWAMP-in-a-Box. CentOS is derived from RHEL with only small differences. CentOS contains the same development tools, libraries, and software as RHEL and can be used as a substitute.
Q: Can anyone get an account?
A: Yes, anyone can gain access to the SWAMP at www.mir-swamp.org or download SWAMP-in-a-Box.
The SWAMP supports verification through GitHub accounts, Google accounts, and university accounts affiliated with CI Logon, as well as the ability to create an account with SWAMP.
Q: Are the uploaded projects and tools available to the public, or do I have an option to set them private?
A: Any project, as in software package, uploaded to the SWAMP is assumed to be private unless explicitly shared with other SWAMP users. Users control access to their software packages and assessment results by controlling which Projects can access the software or results. Project owners control membership in their projects.
To make a software package or tool public, contact email@example.com. The owner of the software package or tool can change sharing options for software packages or tools at any time.
Q: How does the SWAMP compare to other similar services?
A: The SWAMP facility is unique in offering access to multiple tools, the automation and computing capacity needed to support continuous assurance, and an integrated viewer for assessment results from multiple tools. Unlike similar offerings of no-cost software assessment services by commercial entities, the SWAMP is designed, built, and operated by a partnership of four not-for-profit research institutions with a long, demonstrated commitment to open source, cybersecurity, and software assessment, driven by an underpinning vision of an open software assurance framework that facilitates easy adoption of new software analysis technologies.
Q: What is software assurance and how does it relate to national security?
A: The U.S. Department of Homeland Security’s Build Security In program defines software assurance as a process that affirms software will function as intended, free from vulnerabilities intentionally or unintentionally inserted into the code. Software assurance also ensures that the processes and products used to produce and sustain software conform to relevant requirements and standards. Improved cybersecurity results from effective software assurance efforts.
Growing awareness of the critical role software plays in society has resulted in federal recognition of the need for greater access to tools that help ensure software quality and security. The SWAMP works to improve software reliability and security and enhance the tools available for software analysis.
Q: What is continuous software assurance?
A: Continuous software assurance is the automated, repeated assessment of software by software assurance tools. The goal is to ensure that applications are assessed for weaknesses any time that code changes are made, throughout the software development life cycle. This ensures that new weaknesses introduced as code is added or updated can be remediated during more cost-effective development and testing phases, not after software is released. “Do it early. Do it often.”
The SWAMP supports continuous software assurance by allowing users to schedule assessment runs on a recurring basis (for example, nightly). Software developers can schedule the latest version of their software package to be assessed by a pre-configured set of tools and/or platforms. Similarly, tool developers can schedule the latest version of their tool to assess a pre-configured set of packages and/or test suites. By comparing assessment results over time, developers can detect regressions or improvements between versions of their software.
Q: What is the difference between a weakness and a vulnerability?
A: A vulnerability is a weakness or defect in a software system that can be exploited by an attacker to make the software behave insecurely. Quality issues often arise from weaknesses that are not exploitable through incorrect functioning of the software.
Q: How does the Software Assurance Marketplace fit in with other cybersecurity initiatives?
A: Building on a host of federally funded initiatives, the Software Assurance Marketplace collaborates with and leverages the resources of the following organizations, projects and programs.
- Department of Homeland Security National Cyber Security Division and Science and Technology Directorate. Among the resources are:
- Common Attack Pattern and Classification system, a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy.
- Common Vulnerability Enumeration data feed, part of the National Vulnerability Database.
- Common Weakness Enumeration software, a program that provides a unified, measurable set of software weaknesses.
- Software Assurance Program, which seeks to reduce software vulnerabilities, minimize exploitation and address ways to improve the routine development and deployment of trustworthy software products.
- Tool Output Integration Format, an open-source framework for integrating and normalizing weaknesses identified by multiple commercial and open-source detection tools.
- High Performance Computing Clusters, networks of public and private computers linked to perform large-scale computational work.
- National Institute of Standards and Technology. Among the resources are:
- National Vulnerability Database, a repository of standards-based vulnerability management data represented using the Security Content Automation Protocol. These elements combine to enable automation of vulnerability management, security measurement and compliance.
- National Software Reference Library, a reference data set compiled to promote efficient use of computer technology in the investigation of crimes involving computers.
- National Security Agency Center for Assured Software and its Software Assurance Findings Expression Schema, which provides a common mechanism for all tools, analysis services and analysis practices in the software assurance field to report, integrate and analyze findings in a consistent fashion.
Q: How can I access the Software Assurance Marketplace?