Category Archives: Cybersecurity

Spread the Word about SWAMP!

Lines of code give life to modern technologies. As technology continues to evolve and is used by millions of people, it is increasingly important to code securely. It only takes one line of faulty code to disrupt the global economy. Luckily, the Software Assurance Marketplace is here to help. As a free to use open source resource, the SWAMP allows users to test code for vulnerabilities to ensure that all code being used is free of errors.

SWAMP users from Germany, the UK, Paraguay, India, Canada, Italy, the Netherlands, and many other countries are committed to the safety, security, and stability of software around the world. Join them in the fight for secure code! Spread the word about the SWAMP to help us promote software assurance! Learn more, call others to action, and leave comments across our social media platforms!

CSIAC Webinar about SWAMP

CSIAC LogoThe SWAMP team will be presenting a webinar for the Cyber Security & Information Systems Information Analysis Center (CSIAC) on Tuesday, September 12, 2017 from 12:00pm to 1:00pm Eastern Time. This free webinar will provide an Overview of the Software Assurance Marketplace and SWAMP-in-a-Box. More details about the webinar and how to register can be found here.

SWAMP Presenting at CyberSecurity R&D Showcase

If you are attending the 2017 DHS CyberSecurity R&D Showcase in D.C. this week, the SWAMP will be presenting on Wednesday, July 12th at 11:10am as part of Track 1. The event will be held at the Mayflower Hotel in Washington, D.C. from Tuesday, July 11th through Thursday, July 13th. The R&D Showcase and Technical Workshop is sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate’s Cyber Security Division (CSD) and is the federal government’s largest cybersecurity research and development conference. Visit the event website for more information.

SWAMP-in-a-Box Update 1.30.114

We have released an update to SWAMP-in-a-Box (SiB) version 1.30. SiB release v1.30.114 contains a few bug fixes and a patch to allow the SWAMP plug-ins to work with SiB. If you have already downloaded or installed SiB v1.30 (v1.30.113), you are not required to download the latest update unless you would like to use the SWAMP plug-ins with your SiB instance.

The updated SWAMP-in-a-Box v1.30.114 is now available for download here or on GitHub. Note that you may still see the version reflected as 1.30, as not all files received the updated 1.30.114 version number, but all appropriate files have been updated.

Let us know if you have any questions at sib@continuousassurance.org.

New MIR-SWAMP Updates

You can now find the following updates on mir-swamp.org! New

  • You can now change your SWAMP username when editing your profile page.
  • You can now add Application Passwords to your SWAMP account. These passwords can be used with the SWAMP plug-ins for Eclipse and Jenkins to allow you to connect to the SWAMP without using your main password.
  • Java 8 is now the default Java version when creating new Java source and Java bytecode packages.
  • The SWAMP now uses the “recursive” option to include linked sub-modules when pulling code from GitHub to create a new package or when adding a new package version.
  • The Native viewer for assessment results now includes information about the package, tool, and platform used, along with start and completion times, for the assessment.
  • We added new versions and/or updates for the following assessment tools: Android lint, Brakeman, Dawn, Reek, RuboCop, and ruby-lint.
  • We added support for newer versions of the Android SDK on the platform for building and assessing Android software packages.
  • SWAMP-in-a-Box v1.30 is available.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP-in-a-Box Update 1.30

SWAMP-in-a-Box version 1.30 is now available for download! The latest files are on GitHub, or you can download the install files here.

Noteworthy changes include:New

  • SWAMP-in-a-Box can now be configured to use an LDAP or LDAP-compatible Active Directory server for managing user accounts.
  • SWAMP-in-a-Box can now be configured to allow GitHub, Google, and CILogon accounts to be linked to SWAMP user accounts, allowing users to sign into the SWAMP using their third-party credentials.
  • The GrammaTech CodeSonar tool for assessing C/C++ packages can now be added to a SWAMP-in-a-Box installation. You must license CodeSonar and obtain either the 32-bit or 64-bit installers for CodeSonar separately from GrammaTech, Inc.
  • SWAMP users can now add Application Passwords to their SWAMP accounts. These passwords can be used with the SWAMP plugins for Eclipse and Jenkins to allow them to connect to the SWAMP without using the users’ main passwords.
  • Java 8 is now the default Java version when creating new Java source and Java bytecode packages.
  • The SWAMP now uses the “recursive” option to include linked sub-modules when pulling code from GitHub to create a new package or when adding a new package version.
  • The Native viewer for assessment results now includes information about the package, tool, and platform used, along with start and completion times, for the assessment.
  • SWAMP users can now change their SWAMP username when editing their profile page.
  • Added new versions and/or updates for the following assessment tools: Brakeman, Dawn, Reek, RuboCop, and ruby-lint.
  • The SWAMP-in-a-Box install and upgrade scripts now configure the web server (Apache) to disallow HTTP connections. The SWAMP must be accessed using HTTPS.
  • The SWAMP-in-a-Box install and upgrade scripts no longer attempt to configure firewall settings on the host. Required configuration is now documented in the `README-BUILD-SERVER.md` file that is included with the SWAMP-in-a-Box installer.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

MIR-SWAMP Pen Testing with Black Hills

The SWAMP team prides itself on having a dedicated cybersecurity group. We take this responsibility very seriously. As proud as we are, it would be foolish to not seek review by someone unaffiliated with our project that can provide an objective assessment. So when the reputable cybersecurity firm Black Hills Information Security (BHIS) generously offered to perform a network penetration test, web application penetration test, and risk assessment all pro bono, we jumped at the opportunity. BHIS is owned by John Strand, one of the co-hosts of the popular Paul’s Security Weekly podcast.

The pen test planning started with our staff providing a high level overview of the SWAMP network and DNS namespace to determine what resources would be considered in-scope and to plan the order in which the resources would be tested. It also gave us an opportunity to announce maintenance windows during times when user facing services would be tested. SWAMP users were notified of these windows in advance of the testing. However, the SWAMP’s infrastructure was designed to handle significant network loads and was not disrupted by the pen test activities. The actual pen testing started on January 9th, 2017 with a reconnaissance phase in which BHIS attempted to discover as much information about SWAMP staff, resources, and names as possible through social media, websites, DNS registration records, and other public records. From the earliest days of the SWAMP, our staff has given attention to these types of public information vulnerabilities, and BHIS recognized that with praise in their final report.

After the reconnaissance phase, BHIS began scanning the SWAMP’s external network for listening services and checking for known vulnerabilities in any services found. Fortunately, the network scan discovered no surprise exposures that we were not already aware of, although it is quite common to find vulnerable services running during such a scan. The SWAMP staff performs these types of scans on a regular basis.

During the following week of the test, BHIS focused on the SWAMP web application and backend services to check for unique vulnerabilities in the web application. This was the most valuable part of the test, because although we run software analysis tools on the SWAMP code to try to detect weaknesses, the current state of software analysis is somewhat limited, which is something SWAMP is working to change. There can be logic mistakes that are difficult to detect using automated tools and require manual investigation. Their manual scan found such a weakness in the form of a privilege escalation vulnerability that was easier to detect through pen testing than it was using static analysis tools. Instead of waiting until delivering the final report, BHIS immediately and confidentially contacted SWAMP’s security team to report the problem. We fixed it in test and production the same day and released a new version of SWAMP-in-Box the following week. That BHIS decided to notify us immediately, demonstrated their understanding of the risk presented by the vulnerability. It also gave them an impression of the effectiveness of our incident response procedures, which they rated as excellent.

They also performed an internal network scan, which included using a pivot host that represented a compromised system on our internal network. This simulated a more threatening scenario for an attack. The scan found a few hosts that were behind on patches, which were due to delayed updates from license re-negotiations. The tests also provided us a way to effectively see how well our Intrusion Detection System (IDS) worked. During the test, our IDS detected and notified us of a variety of port scans, SQL Injection attacks, SSH brute force attempts, network traceroutes, unusual email traffic, and malware downloads. On each new class of alerts, we confirmed with the testers that the alarms were due to their activity. After comparing the detection and notification logs with the information in the BHIS report, we determined that the IDS detected and notified us for the majority of their attempts.

The test concluded on January 27, 2017. The final report was that the overall risk level of the SWAMP is “Low”, which is the second lowest rating on their five category scale.

From the final report: “BHIS considers the overall risk to SWAMP based on the key findings in this report to be Low. SWAMP’s external web application appeared to have secure coding standards in place and the external testing did not result in any significant issues. BHIS found the internal network to have several systems missing up-to-date patches, specifically in virtual machine management devices.”

The SWAMP team is already working to address the issues that BHIS brought up and plans to resolve them within the next month, if not sooner.

The SWAMP team would like to thank Black Hills Information Security for this penetration test. The fruits of their efforts not only protect the SWAMP, but also its users, and thus contributes to achieving a more secure software community.

« Older Entries