Want to fight cyberthreats? Start with clean code (August 8, 2018)
Barton Miller has a surprise for his University of Wisconsin-Madison class of 250 software programming undergraduates this fall: No code assignment is complete until it’s declared weakness-free by a suite of software analysis tools.
His students will be directed to the Software Assurance Marketplace, or SWAMP, a powerful software assurance platform designed to make the detection of potential software weakness as quick and painless as possible.
Experience gained this fall from Miller’s course will be used as a blueprint for integrating software assurance into lecture-size coding courses at other institutions.
Learn more about SWAMP at https://continuousassurance.org/.
With SWAMP-in-a-Box, ‘Bring Your Own License’ and turbo-charge software assurance (February 28, 2018)
In the drive to reduce software security flaws, the Software Assurance Marketplace (SWAMP) project has enhanced its portable platform that brings a comprehensive suite of software assurance tools to the programmer’s desktop. This open-source SWAMP-in-a-Box (SiB) platform now integrates more than 30 tools, both open source and commercial, into a customizable, easy to deploy capability, significantly reducing the barriers to entry for using such tools.
Using multiple tools to regularly scan software is the cornerstone of continuous assurance – the practice of integrating software assurance into the continuous cycle of modern software development. As a continuous assurance platform, SiB facilitates software assessment with multiple assurance tools. The new “Bring Your Own License” model allows organizations to integrate already-purchased commercial tools into their locally deployed SWAMP-in-a-Box instance. Organizations need only to acquire a license for the commercial tools supported by SiB or use an existing license that they have acquired. The result is hassle-free continuous assessments with the tools of their choice.
Learn more about SWAMP-in-a-Box at https://continuousassurance.org/swamp-in-a-box/.
Madison-based SWAMP and Synopsys join forces to educate the future cybersecurity workforce (December 21, 2017)
The Software Assurance Marketplace (SWAMP) has partnered with Synopsys, an industry leader in software security and quality, to expand its suite of assurance tools in support of the academic community.
In support of educators training the next generation of software developers on secure coding practices, the SWAMP’s continuous assurance platform has added Synopsys Static Analysis (Coverity), a widely used static analysis tool produced by Synopsys, that scans C and C++, the programming languages used by more than one in five programmers worldwide. Synopsys Static Analysis (Coverity), which was recently named a Leader in The Forrester Wave: Static Application Security Testing, marks the fourth industry tool incorporated into the SWAMP’s open and accessible assurance facility. As a result of this partnership, educators can integrate Coverity into their curricula through the SWAMP at no cost.
For more information about capabilities offered by the SWAMP, visit www.mir-swamp.org.
SWAMP integrates assurance tools into the software continuous lifecycle (May 2, 2017)
The Software Assurance Marketplace (SWAMP) is partnering with major continuous integration systems used by software developers to make software assurance a simple and intuitive element of the development process.
The SWAMP offers a suite of plug-in modules that operate within many of the leading development lifecycle tools relied upon by code developers. Those include integrated development environments (IDEs) such as Eclipse; source code repositories such as GitHub and Subversion; and continuous integration systems such as Jenkins and Travis CI.
To access the free SWAMP plugins, visit: https://continuousassurance.org/plug-ins/.
‘SWAMP-in-a-Box,’ an on-premises continuous software assurance capability (October 13, 2016)
The Software Assurance Marketplace (SWAMP) project has launched a new version of its continuous assurance technologies that will allow the software assurance community to deploy local (private) instances of the SWAMP. Called “SWAMP-in-a-Box” (SiB), this free, self-contained version can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise.
The open-beta SiB version is available for download at https://github.com/mirswamp/deployment and is distributed under an Apache open source license. The current version of SWAMP-in-a-Box includes 15 open source tools, and in future releases, SiB will support integration with locally licensed commercial tools. These tools cover five languages that can be assessed on five platforms.
SiB includes a SWAMP-specific version of the Code Dx software that consolidates software vulnerabilities detected by multiple assessment tools. The Code Dx software is an important part of the ability of the SWAMP to aggregate the strengths of multiple tools into an effective software assurance capability.
Can cybersecurity crack the undergraduate curriculum? (May 16, 2016)
In a time when million-dollar security breaches of household name corporations regularly make headlines, computer science undergraduates at America’s universities remain surprisingly underexposed to basic cybersecurity tactics. The Software Assurance Marketplace (SWAMP) has been working to address this skills gap through a unique partnership with Bowie State University in Maryland. The SWAMP offers a rich and accessible suite of software security tools that Bowie State has been integrating into undergraduate coding courses, giving students an efficient way to examine and rid their code of security weaknesses. The partnership offers a national model for integrating cybersecurity into the curriculum.
SWAMP Continues to Expand Platform of Software Assurance Resources (September 24, 2015)
The Software Assurance Marketplace (SWAMP) has added three capabilities to its growing suite of continuous software assurance resources. These new additions further the SWAMP’s commitment to broaden support for additional programming languages and to increase the number and variety of static analysis tools and platforms available to the software assurance community.
Ruby on Rails support follows the July 2015 introduction of language support and analysis tools for Ruby. Additionally, Brakeman and dawnscanner, two analysis tools specific to Rails, join the three existing tools for Ruby that are already part of the SWAMP.
Red Lizard Software, an independent software technology company based in Sydney, Australia, is now offering SWAMP users access to its static analysis tool, Goanna. As the second commercial entity to bring its analysis technologies to the SWAMP, Red Lizard’s Goanna tool is a valuable resource for developers to assess their C/C++ programs for potential weaknesses.
Android application developers that use Java can use the different Java and Android tools supported by the SWAMP to continuously analyze their code for potential weaknesses. The SWAMP now supports assessing software packages using the Gradle and Maven build systems, as well as Ant.
With the addition of Brakeman, dawnscanner, and Goanna, the SWAMP offers a total of 19 static analysis tools.
SWAMP Expands Portfolio of Open-Access Software Security Tools (July 20, 2015)
The Software Assurance Marketplace (SWAMP) has added three new services to its suite of assurance offerings, including support for software written in Ruby, support for Android software written in Java, and access to Parasoft’s Jtest and C/C++test static analysis tools.
Ruby joins Python as the second scripting language supported by the SWAMP and provides the necessary stepping-stone for Ruby on Rails support, scheduled for launch later this summer. Through a partnership with Parasoft, an independent software vendor, SWAMP users can for the first time include the assessment results of commercial tools in the search for weaknesses in their software. Android application developers that use Java can now use the different tools supported by the SWAMP to continuously analyze their code for potential weaknesses.
Four additional static analysis tools — Ruby-lint, RuboCop, Reek, and Android lint — have been added this year, bringing the total to 16 software analysis tools offered by the SWAMP.
SWAMP Increases Scope with Python Functionality and Security Scanning of Code Snippets (March 3, 2015)
Software written in Python, one of the most popular programming languages, can now be scanned for security weaknesses in the SWAMP at no cost. The Pylint, Bandit, and Flake8 static analysis tools have been added to the SWAMP, enabling Python source code to be tested for vulnerabilities in addition to the testing capabilities already present in the SWAMP for C/C++, Java source, and Java bytecode.
The SWAMP has also simplified the ability for developers to test smaller snippets of software by removing the need to build applications prior to testing. As a result, it is easier to incorporate security into the process of developing the application, called the Software Development Life Cycle (SDLC). The SWAMP can be used to provide vulnerability data as the application is being written, enabling developers to assess and fix code continuously throughout the SDLC. “In addition… being able to test smaller snippets of code makes the SWAMP an excellent resource for today’s educators to be able to teach their students secure coding practices.”
Year One: SWAMP a Catalyst for Improving Cyber-Security (February 13, 2015)
After its first full year in operation, the SWAMP is working to make software security problems yesterday’s news. The marketplace is meant to give software code developers, especially those in the write-and-share open-source world, a simple, one-stop resource to examine code with a multitude of both open-source and commercial assessment tools. By the numbers, the marketplace is off to an active start.
SWAMP Wins ISE North America Project of the Year Award (November 06, 2014)
The Software Assurance Marketplace (SWAMP) was awarded the ISE® North America Project of the Year in the Academic/Public Sector Category. Sponsored by T.E.N., a technology and information security executive networking and relationship-marketing firm, these awards honor outstanding achievements in risk management, data asset protection, compliance, privacy and network security.
See the official T.E.N. press release and full list of winners here.
SWAMP Announces Partnerships with Commercial Vendors (September 19, 2014)
The Software Assurance Marketplace (SWAMP) announced that it has formed partnerships with Veracode, Parasoft, Red Lizard and GrammaTech. They join existing partner Secure Decisions so that together, they can enhance the software security services offered by the SWAMP. Through these partnerships, the no-cost and open-source SWAMP facility will now offer an array of both commercial and open-source software security testing tools as well as an integrated commercial results viewer to significantly improve remediation of software flaws. This announcement broadens the SWAMP’s capabilities and addresses the growing realization of the power of using multiple tools to create a comprehensive view of an application’s potential vulnerabilities.
- Veracode’s cloud-based service provides SWAMP users with easy access to binary static analysis (SAST) with actionable guidance that helps developers quickly prioritize and remediate critical software vulnerabilities.
- Red Lizard Software’s Goanna software analysis tool performs whole program analysis on applications to detect hard-to-find C/C++ software flaws. Built using cutting-edge software assurance research coming from NICTA, Australia’s Information Communications Technology (ICT) Research Centre of Excellence, Goanna also integrates with most IDE’s and build systems to detect bugs early in the development cycle.
- GrammaTech’s static analysis tool, CodeSonar, helps developers eliminate the most costly and hard-to-find defects. Designed for zero-tolerance defect environments, CodeSonar’s engine analyzes both source code and binaries. The binary analysis capability enables users to analyze software components even when source code is unavailable. CodeSonar’s new distributed analyses capability can efficiency run in large clusters of computers.
- Parasoft’s Static Analysis Engine (SAE) for Java and C/C++ will help SWAMP developers prevent defects by unobtrusively applying thousands of rules based on academic research, industry standards, and proven best practices.
SWAMP Announces Expert Panel on Software Assurance at OWASP’s AppSec USA 2014 Show (September 17, 2014)
The Software Assurance Marketplace is hosting a blue ribbon panel to discuss the state of software assurance and the resources that the SWAMP has to offer the community. The panel will be held on Thursday, September 18th at 3:00 pm MST in the Silverton room of the Denver Marriott City Center at the AppSec USA 2014 show.
The panel will be moderated by Mark Miller, Community Advocate at Sonatype, Curator and Founder of the Trusted Software Alliance, and Host and Executive Producer of the OWASP 24/7 Podcast Channel.
The panel participants include:
- Kevin Greene – Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, Cybersecurity Division
- Chris Wysopal – CTO and Co-Founder of Veracode
- Arthur Hicken – Evangelist of Parasoft
- Ralf Huuck – CEO and Co-Founder of Red Lizard Software
- Bart Miller – Chief Scientist of the SWAMP and Computer Science Professor at the University of Wisconsin-Madison
- Ken Prole – Project Engineer of Secure Decisions
- Mark Zarins – Vice President of Sales for GrammaTech
Gaining Industry Momentum with Improved Interface Enhancements (July 22, 2014)
SWAMP, the first open software assurance facility, has completed an upgrade that significantly improves the intuitive navigation capabilities of its user interface.
SWAMP opened its services to the community in February of 2014 offering five open source static analysis tools that analyze source code for possible security defects without having to execute the program. Used to improve the quality of complex software stacks, static analysis tools have been applied across medical, nuclear, and aviation markets.
These static analysis tools review program code and search for application coding flaws, unintentional or intentional, that could give hackers access to critical company data or customer information. Each of them has been proven to be an effective SwA measure. The new interfaces make it easy for software developers to apply one or many of these tools to a single software package.
SWAMP and Secure Decisions Partner to Enhance Software Security (July 14, 2014)
Secure Decisions, a division of New York-based Applied Visions, Inc., is partnering with the Software Assurance Marketplace (SWAMP) to build a powerful and publicly accessible resource to improve the software that drives everyday life.
Secure Decisions is providing a customized version of their Code Dx® product to be distributed as part of the SWAMP. Code Dx is an important visualization tool that simplifies the remediation process by correlating results from multiple tools into a central platform.
National, Shared Software Assurance Facility, ‘SWAMP,’ Launches (February 3, 2014)
The Software Assurance Marketplace, or the “SWAMP,” will be publicly available and free to the community beginning today (Feb. 3, 2014). Supported by a $23.4 million grant from the Department of Homeland Security’s (DHS) Science and Technology Directorate, the SWAMP provides a state-of-the-art facility that serves as an open resource for software developers, software assurance tool developers, and software researchers who wish to collaborate and improve software assurance activities in a safe, secure environment. From the very early stages of a project and throughout its entire life cycle, the SWAMP offers continuous, automated access to a rich and evolving set of assessment capabilities.
Located in Madison, Wis. and designed by researchers from the Morgridge Institute for Research, the University of Wisconsin-Madison, Indiana University, and the University of Illinois, Urbana-Champaign, the SWAMP provides a suite of assurance tools and software packages that serve to identity vulnerabilities and reduce false positives.
The initial operating capability of the SWAMP supports eight platforms and enables the assessment of Java, C, and C++ software against five static analysis tools: FindBugs, PMD, Clang, CppCheck, and GCC. Results are displayed via Secure Decisions’ CodeDx vulnerability results viewer, which was developed through DHS S&T’s Small Business Innovation Research program (SBIR).
Over the five-year project, SWAMP will add multiple assessment capabilities including mobile, dynamic, and binary analysis tools.
UW-Madison Poised to Become National Hub for Software Security (October 14, 2013)
Typically created as free, collaborative efforts among passionate communities of developers, open source software is now both widespread and highly innovative, producing many household-name applications. But awareness of how to protect open-source code from malicious intent has not kept pace.
The University of Wisconsin-Madison and the Morgridge Institute for Research are home to what may become a transformative cyber-security resource called the Software Assurance Marketplace, or SWAMP. The team is developing an integrated network of assurance tools that provide a simple, one-stop resource for developers. The big advantage is saving open-source developers time and money, while creating more accurate assessments.
Software Assurance Marketplace to Host Exposition (May 23, 2013)
Jennifer Sereno-Top software analysis tool providers from around the world are being invited to run their latest assessment tools at the Morgridge Institute for Research on the UW-Madison campus in a months-long series of tests to improve the quality and security of software assurance tools and open-source software.
The project will be led by the National Institute of Standards and Technology in collaboration with the Software Assurance Marketplace and U.S. Department of Homeland Security’s Science and Technology Directorate.
The effort is part of the fifth Static Analysis Tool Exposition. The exposition involves tool developers from around the world running their software assessment tools to see how many vulnerabilities they can pinpoint within millions of lines of computer code. The ultimate goal is to improve the security of software that underpins our nation’s energy, communications and economic infrastructure.
National Cybersecurity Effort Launched to Strengthen Software Infrastructure (November 1, 2012)
Jennifer Sereno-Scientists at the Morgridge Institute for Research, the University of Wisconsin-Madison, Indiana University, and the University of Illinois at Urbana-Champaign have received a $23.6 million grant as part of a Broad Agency Announcement (BAA 11-02) by the U.S. Department of Homeland Security Science and Technology Directorate to address threats arising from the development process of software used in technology ranging from the national power grid to medical devices.