The Software Assurance Marketplace is being enhanced to meet the needs of the user community. We continue to provide user support, software updates, bug fixes, and system performance improvements. At the request of the Department of Homeland Security, we can extend this phase of operation for additional years.
Planned Development for 2017
- Scripting language support and assessment tools – Available Now!
- Addition of GrammaTech’s CodeSonar static analysis tool – Available Now!
- Support for GrammaTech CodeSonar in SWAMP-in-a-Box – Available Now!
- Addition of Sonatype’s Application Health Check analysis tool
- Addition of Coverity from Synopsys
- Addition of PRQA’s analysis tool
- Plugins for IDEs: BlueJ, Eclipse
- Support for Windows
- Ability to share SWAMP results publicly
- Ability to import external results into SWAMP
- Addition of dynamic analysis capabilities
Integration of ASTAM and STAMP Deliverables
Deliverables from the ASTAM and STAMP projects are scheduled for integration with SWAMP starting as early as 2017. In collaboration with other performers in the DHS S&T CSD technical program, the SWAMP may also be leveraged to support the testing and evaluation of their technologies.
- Application Security Threat and Attack Modeling (ASTAM)
- Broad Agency Announcement Solicitation HSHQDC-16-R-B0003
- Goal is to create a Unified Threat Management (UTM) system. Below are the technical topic areas (TTA’s) with deliverables to SWAMP:
- TTA #1 – Hybrid Analysis Mapping (HAM) Component
- TTA #2 – Application Threat Modeling Component
- TTA #3 – Attack Simulation and Countermeasures Modeling (ACSM) Component
- TTA #4 – Continuous Monitoring and Assessment (CMA) Component
- Static Tool Analysis Modernization Project (STAMP)
- Broad Agency Announcement HSHQDC-16-R-B0002
- Goal is to modernize a list of candidate software analysis tools to improve tool performance and coverage, to seamlessly integrate and support continuous integration and DevOps operational environments, and provide stronger analysis results by reducing false-positives, and provide visibility into false-negatives that often leave residual risks.
- TTA #1 – Test Case Generator
- TTA #3 – Tool Modernization
- TTA #4 – Operational Pilot Implementing Tool Scoring and Labeling