Category Archives: Cloud Security

SWAMP & Secure Development for the Cloud

MISTI logoIn today’s MISTI blog post, “Secure Development for the Cloud,” author Randall Brooks mentions SWAMP and SWAMP-in-a-Box as great resources for organizations with limited funds who are looking for secure coding solutions. Incorporating many free and open-source analysis tools, the Software Assurance Marketplace offers both cloud-based and on-premises solutions for continuous software assurance. Read the full article.

Brooks will also be presenting at the upcoming 2017 InfoSec World Conference in Orlando. Session B4 “Secure Development for the Cloud” will include a bit about the SWAMP. Catch the presentation on Monday, April 3 at 2:15pm-3:05pm.

Analysis of the Heartbleed Vulnerability

heartbleed logoIn response to the recent Heartbleed vulnerability, James A. Kupsch and Barton P. Miller of the University of Wisconsin analyzed the problematic sections of the OpenSSL code and how it challenged the capabilities of software assurance tools. Read their full analysis here, and learn how the SWAMP can be used to reduce the likelihood of such events in the future.

Citation information for the white paper is below.

MLA: Kupsch, James A., and Miller, Barton P. “Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?” Continuous Software Assurance Marketplace, 22 Apr. 2014. Web. <https://www.swampinabox.org/doc/SWAMP-WP003-Heartbleed.pdf>

APA: Kupsch, J.A., & Miller, B.P. (2014, April 22). Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed? [PDF file]. Continuous Software Assurance Marketplace. Retrieved from https://www.swampinabox.org/doc/SWAMP-WP003-Heartbleed.pdf

SWAMP Security Notification: Critical Bug, Please Change Your Password

Greetings SWAMP User,

On April 7th, 2014 a critical bug (“Heartbleed”) in the widely used OpenSSL security software was announced. This impacts about half of the Internet’s secure web servers, including the SWAMP. While the time between the announcement and the SWAMP patching its infrastructure was short, and we have no indication that anyone’s password was compromised, it is still theoretically possible.   As such we are strongly advising all SWAMP users to change their passwords. You can change your password by logging into the SWAMP at https://www.mir-swamp.org (*) and then selecting “My Account”, “Edit Profile” and “Change Password” (*) Ideally you should have the SWAMP bookmarked so you don’t have to click on a link in email, which could be a phishing attempt.

Please choose a unique password for the SWAMP that is not used on other sites. You will find that using a secure password manager such as LastPass, Keepass or 1Password will aid in choosing a unique and strong password for each website you use.

== What We Have Done ==

The SWAMP team has reviewed this bug thoroughly and properly patched our web servers with the fixed version of OpenSSL. We have also regenerated our SSL certificate as a precaution in the case that the old one was compromised. For details, please see:

https://continuousassurance.org/blog/2014/04/09/openssl-heartbleed-cve-2014-0160/

Other questions you may have

Can you tell me more about this vulnerability?

Please see http://heartbleed.com/

Can the SWAMP be used to find vulnerabilities like Heartbleed?

The SWAMP team will have a blog post on this shortly with more information.

Was there any evidence that data in the SWAMP had been compromised or that my password was seen?

No. However, since prior to the identification of the bug on April 7th, it is possible it may have been used without leaving evidence, we are being cautious and strongly advising all SWAMP users to change their passwords.

What if I didn’t log on to the SWAMP website during the exploitation window?

If you have logged into the SWAMP at any time, there is the possibility that your password was still in memory during the exploitation window, thus we feel that everyone should change their password.  Also, since the vulnerability existed for about 2 years prior to its discovery, it is possible that unknown parties have have been using it.

Would the strength of my password matter? 

The strength of your password is an important part of keeping your account secure from attackers, however in this case, the password would have been viewable in clear text directly and the strength would not matter.

I already use a secure password manager, would that help?

No, a secure password manager like LastPass helps you to manage your many passwords on your computer, but it does nothing to protect your password on a server.

Would two factor authentication improve security?

Two factor authentication would indeed help protect accounts by requiring more than just the knowledge of the plain text password.

Are my SSH keys compromised?

No. Although SSH uses OpenSSL libraries to generate keys, this bug only affects the SSL/TLS protocol, which SSH does not use for authentication or transmission of data.

If you have any other questions, please feel free to contact SWAMP staff at support@continuousassurance.org

Thank you for your time,

SWAMP Security Team

Madison.com Covers SWAMP Launch

Judy Newman, business reporter for the Wisconsin State Journal and Madison.com spent some time talking with CTO Miron Livny, Project Manager Patrick Beyer and Outreach Coordinator, Karen Hitchcock about SWAMP. Here’s her story:

 

February 04, 2014 5:10 am  •  JUDY NEWMAN | Wisconsin State Journal | jdnewman@madison.com | 608-252-6156

A new project based in Madison aims to root out software vulnerabilities that can leave the door open for viruses, website hacking or other forms of cybercrime, estimated as a $100 billion industry.

The SWAMP, or the Software Assurance Marketplace, is a collaboration of the private, nonprofit Morgridge Institute for Research along with UW-Madison, Indiana University and the University of Illinois at Champaign-Urbana.

Armed with a $23.4 million grant from the U.S. Department of Homeland Security, the SWAMP is offering its services — for free — to companies, software developers and consumers.

The goal is to improve software security, said Miron Livny, the SWAMP’s director and chief technology officer.

“The assumption is that in order to accomplish that, we have to offer better tools to find the security defects in software and we have to increase or expand the adoption or the usage of these tools,” Livny said.

The SWAMP has not designed its own security tools, but it has amassed those already available for public use, called open source software, and is making them available to the public. They can identify potential leaks or weaknesses in the software that might let scammers either take over a computer or program it to make mischief or commit fraud.

“The idea is that if you have a piece of software and you want to run it against the tools, you can bring (upload) it to the SWAMP and we will keep everything that you do confidential,” Livny said.

With security breaches over the holidays for retailers such as Target and Neiman Marcus, and more recent breaches involving several major hotel chains, Internet security has become a pressing concern, Livny added.

“This is a national issue. We all recognize how vulnerable our software is,” Livny said.

The SWAMP project has created 27 jobs, including 22 full-time positions in Madison, project manager Patrick Beyer said.

He said the federal grant will keep it operating for at least five years. After that, “it is our hope that based on the value we provide, we will continue to receive government support,” Beyer said.

Read more

Join us for SWAMP’s Virtual Town Hall Meetings

Executive Session: Prioritizing Software Assurance for Risk Management

We’re getting excited about two events we’re hosting this week in collaboration with T.E.N., Inc. in Atlanta.

Tomorrow, January 22 from 2-3PM ET, our CTO and Director Miron Livny will co-present with NASA Ames Research Center’s Jerry Davis about the importance of software assurance. These two highly accomplished execs will discuss the role of software assurance in risk management and share their own experiences from the academic and government environments. It’s not too late to register and participate in the conversation. Miron and Jerry will be taking plenty of questions from the audience.

Register

Developer Session: Good Security Starts with Software Assurance

For developers, we’re hosting another open session featuring SWAMP’s Chief Science Officer Barton Miller and Cox Communications’ Phil Agcaoili. Both have experiences to share about best tools, practices and the importance of software assurance in the software development lifecycle.

Again, there will be plenty of time for questions from the audience, so please set aside the time to learn more about SwA and the SWAMP.

Register

More information from T.E.N.

SWAMP Contributes at the Cloud Security Alliance Congress

Our infrastructure manager, Daniel Creed, recently returned from the Cloud Security Alliance Annual Congress in Orlando (December 4-5, 2013).  Daniel participated in several panel discussions about the SWAMP’s cloud computing environment, and illustrated how HTCondor and the SWAMP software  are utilizing a cloud- like infrastructure for transient workloads.

We’re pleased that many companies and vendors showed significant interest in this–how the SWAMP is using virtualization for transient workloads. It’s exciting to discuss possible synergies with powerhouses like Intel, who are working on geo-tagging hypervisor workloads at the hardware layer. The SWAMP is using Intel Xeon processors. Learn more about our capabilities here.

If you have questions about the Cloud Security Alliance Congress or SWAMP infrastructure, contact Dan.