Frequently Asked Questions
Q: What exactly is the SWAMP?
A: The Software Assurance Marketplace (SWAMP) is an open facility that is designed, built, and operated by four research institutions. The SWAMP provides no-cost access to an array of open-source and commercial software analysis tools. The SWAMP also includes a (growing) library of open-source applications with known vulnerabilities to help tool developers improve the effectiveness of their static and dynamic analysis tools. One of the main goals of the SWAMP is to provide an open marketplace of software packages and analysis tools, with the ability to control how packages, tools, and expertise are shared with the entire software community. With the computing capacity required to support continuous assurance, the SWAMP provides the automation to continuously run multiple analysis tools against software packages. Results are viewable in an integrated results viewer that offers the developer the capability to view weakness reports with integrated CWE (common weakness enumeration) data from multiple tools.
All SWAMP activities performed by users are confidential. Users have the option to share software packages and assessment results with other SWAMP users and can choose to form groups through a project structure.
The ultimate goal of the SWAMP is to promote continuous assurance technologies and practices through an open and collaborative framework that protects confidential data and facilitates sharing, thus, making it easier for software developers to adopt continuous assurance practices.
Q: Who owns the SWAMP?
Q: What kind of static analysis code tools can be used in the SWAMP?
A: Currently, the SWAMP offers the following open-source and commercial static analysis tools: List of Tools Available in the SWAMP. Recently, several commercial vendors partnered with the SWAMP. Static analysis tools from Parasoft and GrammaTech are now available in the SWAMP. The SWAMP will be integrating tools from Sonatype and PRQA during 2017. We will continue to add more tools from open-source and commercial vendors throughout the life of the project, including introducing dynamic analysis capabilities.
Q: Can I bring my own tool into the SWAMP?
A: If you would like to upload your own static or dynamic analysis tool into the SWAMP, please contact us at email@example.com. We are happy to work with you to integrate your tools.
Any tool uploaded to the SWAMP is assumed to be private unless you decide to release it to the public.
Note that before a tool can be integrated, the SWAMP must support the platform (OS) required for your analysis tool and the programming language that your tool can analyze. Both of these potential limiting factors can be addressed and resolved in a timely manner within reason.
Q: Which programming languages and OS are supported? (What will be supported in the future?)
A: The SWAMP welcomes input from users on programming languages and platforms they would like to see in the SWAMP. User input, comments, or suggestions can be made at firstname.lastname@example.org.
Current platforms (OS) supported by SWAMP are: Debian Linux, Fedora Linux, Red Hat Enterprise Linux 6 32 bit & 64 bit, Scientific Linux 5 and 6 32 bit & 64 bit, CentOS 5 and 6 32 bit & 64 bit, Ubuntu Linux, and Android on Ubuntu. During 2017 and beyond, support will be added for Mac OSX, .NET, and iOS mobile code platforms.
Q: Can anyone get an account?
A: Yes, anyone can gain access to the SWAMP at www.mir-swamp.org.
The SWAMP supports verification through GitHub accounts, Google accounts, university accounts affiliated with CI Logon, promotional codes, trusted users that can vouch for the individual, and SWAMP Administration that can confirm the potential user.
Q: Are the uploaded projects and tools available to the public, or do I have an option to set them private?
A: Any project, as in software package, uploaded to the SWAMP is assumed to be private unless explicitly shared with other SWAMP users. Users can control access to their software packages and to assessment results by controlling which Projects can access the software or the results. Project owners control membership in their projects.
To make a software package or tool public, a request is made to SWAMP Administration at email@example.com. A user interface is currently under development for users to make their software packages or tools public. The owner of the software package or tool can change sharing options for software packages or tools at any time.
Q: How does the SWAMP compare to other services like Coverity?
A: The SWAMP facility is unique in offering access to multiple tools, the automation and computing capacity needed to support continuous assurance, and an integrated viewer for assessment results from multiple tools. Unlike other similar offerings of no-cost software assessment services by commercial entities, the SWAMP is designed, built, and operated by a partnership of four not-for-profit research institutions that have a long, demonstrated commitment to open source, cybersecurity, and software assessment and are driven by an underpinning vision of an open software assurance framework that facilitates easy adoption of new software analysis technologies.
Q: What is software assurance and how does it relate to national security?
A: The U.S. Department of Homeland Security’s Build Security In program defines software assurance as a process that affirms software will function as intended, free from vulnerabilities intentionally or unintentionally inserted into the code. Software assurance also ensures that the processes and products used to produce and sustain software conform to relevant requirements and standards. Improved cybersecurity results from effective software assurance efforts.
Growing awareness of the critical role software plays in society has resulted in federal recognition of the need for greater access to tools that help ensure software quality and security. The SWAMP works to improve software reliability and security and enhance the tools available for software analysis.
Q: What is continuous software assurance?
A: Continuous software assurance is the automated, repeated assessment of software by software assurance tools. The goal is to ensure that applications are assessed for weaknesses any time that code changes are made, throughout the software development life cycle. This ensures that new weaknesses introduced as code is added or updated can be remediated during more cost-effective development and testing phases, not after software is released. “Do it early. Do it often.”
The SWAMP supports continuous software assurance by allowing users to schedule assessment runs on a recurring basis (for example, nightly). Software developers can schedule the latest version of their software package to be assessed by a pre-configured set of tools and/or platforms. Similarly, tool developers can schedule the latest version of their tool to assess a pre-configured set of packages and/or test suites. By comparing assessment results over time, developers can detect regressions or improvements between versions of their software.
Q: What is the difference between a weakness and a vulnerability?
A: A vulnerability is a weakness or defect in a software system that can be exploited by an attacker to make the software behave insecurely. Quality issues often arise from weaknesses that are not exploitable through incorrect functioning of the software.
Q: How does the Software Assurance Marketplace fit in with other cybersecurity initiatives?
A: Building on a host of federally funded initiatives, the Software Assurance Marketplace collaborates with and leverages the resources of the following organizations, projects and programs.
- Department of Homeland Security National Cyber Security Division and Science and Technology Directorate. Among the resources are:
- Common Attack Pattern and Classification system, a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy.
- Common Vulnerability Enumeration datafeed, part of the National Vulnerability Database.
- Common Weakness Enumeration software, a program that provides a unified, measurable set of software weaknesses.
- Software Assurance Program, which seeks to reduce software vulnerabilities, minimize exploitation and address ways to improve the routine development and deployment of trustworthy software products.
- Tool Output Integration Format, an open-source framework for integrating and normalizing weaknesses identified by multiple commercial and open-source detection tools.
- High Performance Computing Clusters, networks of public and private computers linked to perform large-scale computational work.
- National Institute of Standards and Technology. Among the resources are:
- National Vulnerability Database, a repository of standards-based vulnerability management data represented using the Security Content Automation Protocol. These elements combine to enable automation of vulnerability management, security measurement and compliance.
- National Software Reference Library, a reference data set compiled to promote efficient use of computer technology in the investigation of crimes involving computers.
- National Security Agency Center for Assured Software and its Software Assurance Findings Expression Schema, which provides a common mechanism for all tools, analysis services and analysis practices in the software assurance field to report, integrate and analyze findings in a consistent fashion.