SWAMP Chief Scientist and PI, Bart Miller, along with his colleague, Elisa Heymann, from the University of Wisconsin-Madison’s Computer Sciences department created an educational guide to using the SWAMP: https://vimeo.com/255608773. Be sure to check out their video and links to all of the other SWAMP recordings, webinars, etc. on our website: https://continuousassurance.org/about-us/video-tutorials/.
Category Archives: Cybersecurity
The SWAMP will be presenting and demonstrating at Software Assurance Conference 2018! SwACon is a software assurance (SwA) conference dedicated to advancing the state of the art in software assurance disciplines. The theme of this year’s event is open source tools and techniques that are available for SwA activities. The event is hosted by the Software Engineering Institute (SEI) in collaboration with the DoD Joint Federated Assurance Center (JFAC).
SwACon 2018 will be held on Tuesday, November 27 at the NRECA Conference Center (4301 Wilson Blvd. Arlington, VA – 1st floor). There will be presentations all day, roughly from 9am to 5pm Eastern, and you may attend only selected presentations, if needed. The event is free of charge but does require advance registration. Remote participation will also be available. To register, email email@example.com for details before November 18.
November 27th, 2018
NRECA Conference Center (1st floor)
8:45AM to 9:30AM Check-in and Registration; Light breakfast items to be served 9:30AM to 10:45AM Getting Started with ROSE Compiler Infrastructure – Dan Quinlan
ROSE is an open source compiler infrastructure to build source-to-source program transformation and analysis tools for large-scale C (C89 and C98), C++ (C++98 and C++11), UPC, Fortran (77/95/2003), OpenMP, Java, Python, and PHP applications. ROSE is developed at Lawrence Livermore National Laboratory (LLNL). Presented by Dr. Dan Quinlan, LLNL.
10:45AM to 11:00AM Morning beverage break 11:00AM to 12:00PM Introduction to Binary Analysis with Pharos – Cory Cohen
The SEI’s Pharos project is an open-source static binary analysis framework that is primarily targeted at malware analysis but can also be used for software assurance tasks. Presented by Cory Cohen, SEI.
12:00PM to 1:00PM Lunch break – participants on their own for lunch 1:00PM to 2:30PM Introduction to Software Assurance Marketplace (SWAMP) - Von Welch & Brian Aydemir
Join us to learn about the Software Assurance Marketplace (SWAMP) – a Continuous Software Assurance Platform. During this presentation, we will introduce the SWAMP project and team, describe SWAMP’s capabilities, present a live demo, and explain how you can start using the SWAMP. Presented by Von Welch, Director of Indiana University – Center for Applied Cybersecurity Research (CACR) & Brian Aydemir, Systems Integration Developer, Morgridge Institute for Research/SWAMP.
2:30PM to 2:45PM Afternoon break; Light snacks to be served 2:45PM to 3:45PM Securing Software with Trail of Bits – Peter Goodman & Trent Brunson 3:45PM to 3:55PM Short transition break 3:55PM to 4:55PM Introduction to Source Code Analysis Laboratory (SCALe) - Lori Flynn
Dear SWAMP Users,
A MODERATE security vulnerability was discovered that affects the following versions (and earlier) of the SWAMP plug-ins and libraries on shared systems. Users who are not using any of the following plug-ins or libraries are not affected by this vulnerability.
- swamp-scms-plugin 1.3.4 and earlier
- swamp-eclipse-plugin 1.1.0 and earlier
- swamp-jenkins-plugin 1.1.1 and earlier
- java-cli 1.4.1 and earlier
WHAT IS THE VULNERABILITY
When a vulnerable version of the software is run on a host by a user, it is possible for an attacker with an account on the same host to impersonate the user’s SWAMP identity and gain access to their SWAMP account. For each successful attack, the attacker will be able to impersonate the user for a maximum time period of two days.
WHAT YOU SHOULD DO
SWAMP users using affected plugins and libraries are recommended to update to the most current versions as soon as possible if they have not done so already. The vulnerability is remediated in the following versions or later:
- swamp-scms-plugin 1.3.5
The latest version can be downloaded from https://github.com/mirswamp/swamp-scms-plugin/releases/tag/releases%2F1.3.5. Update instructions can found at https://github.com/mirswamp/swamp-scms-plugin.
- swamp-eclipse-plugin 1.1.1
The latest version can be downloaded and installed directly from within Eclipse. Update instructions can found at https://github.com/mirswamp/swamp-eclipse-plugin.
- swamp-jenkins-plugin 1.1.2
The latest version can be downloaded and installed directly from within Jenkins. Update instructions can found at https://github.com/mirswamp/swamp-jenkins-plugin.
- java-cli 1.4.2
The latest version of the .jar file and source code can be downloaded from https://github.com/mirswamp/java-cli/releases/releases%2F1.4.2.
Please contact SWAMP staff if you have any questions or concerns at firstname.lastname@example.org.
If you are going to be in Baltimore, MD on March 21-22 for DevOpsDays Baltimore, stop by to see the SWAMP team! When registering for the conference, use the SWAMP’s discount code SWAMPFRIENDS to save 10% on your registration. The SWAMP team will be providing demos and answering questions about the SWAMP’s open source software, including SWAMP-in-a-Box and SWAMP plug-ins for Eclipse, Jenkins, and Git/Subversion.
Register for DevOpsDays here.
You can now find the following updates on mir-swamp.org!
- Synopsys Static Analysis (Coverity) is now available for assessing C/C++ packages. You must request and receive permission to use this tool and agree to the EULA.
- We removed from a number of workflows unnecessary pop up notifications affirming that the SWAMP has completed a requested action.
- To accommodate packages with lengthy build parameters, we’ve increased the number of characters allowed for the Configuration and Build settings for new and existing Packages and Package Versions.
- Project Ownership permission is no longer required to create and manage SWAMP projects.
- The Run New Assessments page no longer displays the fields for Tool and Platform selection until you have selected a Package. Note that Platform selection is only available for C/C++ packages.
- “Latest” is no longer an option for the Platform Version of a new assessment. Instead, the current most recent version is selected by default. When new Platform versions are made available, you will need to create new assessments specifically for those new versions.
- You can now stop an assessment run in progress. The Assessment Status page displays a “Kill Assessment” button for assessments that are still in the HTCondor queue. The SWAMP removes the corresponding job from the Condor Queue, causing any VM to shut down. The status of the assessment is updated to “Terminated.” Note that it takes approximately 25 seconds for the termination process to complete.
- Email notifications for completed assessments now correctly report their status as success or failed.
- The Error Report page for assessments that have “finished with errors” now includes a link to the “Status.out and Debugging SWAMP Failures FAQ” documentation providing information for interpreting assessment errors.
- Assessments using Android Lint are now displayed in the Native viewer.
- We added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, PMD, Findbugs, XML lint.
- The CentOS 5.11 and Scientific Linux 5.11 platforms are no longer supported.
- SWAMP-in-a-Box v1.31 is available.
- General enhancements and bug fixes.
Let us know if you have any questions at email@example.com.
Noteworthy changes include:
- Synopsys Static Analysis (Coverity), a tool for assessing C/C++ packages, can now be added to a SWAMP-in-a-Box installation. You must license Synopsys Static Analysis and obtain either the 32-bit or 64-bit tool archive files separately from Synopsys, Inc.
- Documentation for SWAMP-in-a-Box has been reorganized into an Administrator Manual and a Reference Manual. Each comes as a PDF and HTML document, which can be found in `/opt/swamp/doc` on the SWAMP-in-a-Box host.
- New versions of the CentOS and Scientific Linux 6.7 (32-bit and 64-bit) assessment platforms are available. If any of these platforms were previously installed as an add-on, we recommend you download and install the updated versions.
- The CentOS and Scientific Linux 5.11 (32-bit and 64-bit) assessment platforms are no longer supported. If any of these platforms were previously installed as an add-on, they will be removed as part of the upgrade to SWAMP-in-a-Box 1.31.
- Added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, Findbugs, PMD, and XML Lint.
- General enhancements and bug fixes.
Let us know if you have any questions at firstname.lastname@example.org.
Lines of code give life to modern technologies. As technology continues to evolve and is used by millions of people, it is increasingly important to code securely. It only takes one line of faulty code to disrupt the global economy. Luckily, the Software Assurance Marketplace is here to help. As a free to use open source resource, the SWAMP allows users to test code for vulnerabilities to ensure that all code being used is free of errors.
SWAMP users from Germany, the UK, Paraguay, India, Canada, Italy, the Netherlands, and many other countries are committed to the safety, security, and stability of software around the world. Join them in the fight for secure code! Spread the word about the SWAMP to help us promote software assurance! Learn more, call others to action, and leave comments across our social media platforms!