SWAMP Chief Scientist and PI, Bart Miller, along with his colleague, Elisa Heymann, from the University of Wisconsin-Madison’s Computer Sciences department created an educational guide to using the SWAMP: https://vimeo.com/255608773. Be sure to check out their video and links to all of the other SWAMP recordings, webinars, etc. on our website: https://continuousassurance.org/about-us/video-tutorials/.
Category Archives: Education
The SWAMP team has a busy fall schedule! We have four more events coming up, including tutorials.
- Bart Miller and Elisa Heymann from the University of Wisconsin-Madison are presenting about the SWAMP in their training, “Automated Assessment Tools – Theory & Practice,” at the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure on August 21 at 9:00am-1:00pm in Alexandria, VA. View the Training Descriptions for details.
- Bart Miller and Elisa Heymann will be teaching a tutorial at the IEEE Cybersecurity Development Conference (SecDev) held on September 30-October 2 in Cambridge, MA. “Secure Coding Practices, Automated Assessment Tools and the SWAMP” is scheduled on September 30 from 1:30pm to 5:00pm (view the agenda). Register for the conference here.
- Bart Miller and Elisa Heymann will be presenting at the O’Reilly Velocity conference in London on October 30-November 2. Their session, “Critical Infrastructure Software Security: A Maritime Shipping Study Case,” will be at 1:15–1:55pm on Friday, November 2. Register for Velocity here.
- On November 11-12, Bart Miller and Elisa Heymann will be giving a tutorial at Supercomputing 2018 in Dallas, TX. Review the schedule, and sign up for “Secure Coding Practices and Automated Assessment Tools” to learn about security programming and software assurance tools, including hands-on activities in the SWAMP! Registration can be found here.
FOR IMMEDIATE RELEASE:
August 8, 2018
Want to fight cyberthreats? Start with clean code
MADISON, WI – (August 8, 2018) – Barton Miller has a surprise for his University of Wisconsin-Madison class of 250 software programming undergraduates this fall: No code assignment is complete until it’s declared weakness-free by a suite of software analysis tools.
“You’re not going to get extra points,” he says. “It’s just that you can turn in your code only when it comes through clean.”
That may sound stringent, but Miller is confident it won’t be such a chore. His students will be directed to the Software Assurance Marketplace, or SWAMP, a powerful software assurance platform designed to make the detection of potential software weakness as quick and painless as possible.
The SWAMP offers more than 30 open-source and commercial static code analysis tools fully integrated into its automated platform. Leading commercial tool providers in the SWAMP include Synopsys, Parasoft, and GrammaTech, all household names with programmers.
“For the students, using the SWAMP is to feel the freedom that they are not handcuffed to a single tool,” Miller says, likening the SWAMP experience to taking multiple medications to manage a chronic disease. “Each medication may not solve the whole problem, but it may have a strength that other medications don’t have.”
Launched five years ago, the SWAMP is now coming into its own as a free, portable, one-stop source for programmers to tighten up their code — and, in turn, shore up the most frequent target of cyberattacks. The project is funded by the Department of Homeland Security and is led by the Morgridge Institute for Research in close collaboration with partners at UW-Madison, Indiana University, and the University of Illinois.
Miller’s classroom experiment represents an important front for the SWAMP as it aims to advance continuous assurance on software security. Software assurance is for the most part missing from the undergraduate coding curriculum and is often relegated to separate security-based courses. Miller, a UW-Madison computer science professor and chief scientist of the SWAMP, says the goal is to create “turnkey resources” such as video tutorials for computer science instructors to plug it into their courses.
Experience gained this fall from Miller’s course will be used as a blueprint for integrating software assurance into lecture-size coding courses at other institutions. The SWAMP platform was designed to support “scaling-out” in support of wide-scale usage.
Miron Livny, SWAMP director and chief technology officer, says that partnering with the educational community is key because the software security challenge has strong behavioral elements that need to be addressed in the beginning stages of software development teaching. Raising awareness early among future developers, and providing integrated tools like the SWAMP, will help make software assurance a continuous activity in the software life-cycle.
Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research and SWAMP chief information security officer, says the greatest contribution of the SWAMP has been to provide empowerment in what seems like an unwinnable scenario.
“The whole ecosystem of software has just exploded with iPhones and Android phones and software doing a lot for our lives these days,” he says. “It’s easy to be sort of abstractly aware of the security challenge, but we’re giving developers a tool to do something concrete about it.”
The project also yielded an application called “SWAMP-in-a-Box,” which enables developers to deploy the platform locally on their private network to address security and privacy concerns. In 2018 to date, more than 34,000 software assessments have been run in the SWAMP, covering hundreds of millions of lines of code.
Companies and organizations also have been active in the SWAMP. Partners on specialized assurance projects include the Department of Defense, defense contractors, and commercial companies certifying software.
Cyberattacks are only getting worse as software proliferates into every corner of life. Operating systems that once could support a few thousand applications can now support as many as 3 million. Things got remarkably bad in 2017 with 159,700 cyberattacks targeting businesses —nearly doubling the previous year’s total, according to the Online Trust Alliance.
One example from last year serves as a “poster child” for business catastrophe, Miller says. Dutch-based Maersk Shipping, representing almost one-fifth of all the world’s cargo shipping, was hit with the “NotPetya” ransomware virus that wiped out all 45,000 of the company’s computers. The result snarled global shipping traffic and cost the company $300 million in repairs.
“One of the challenges in cybersecurity right now is the attackers get unlimited attempts,” adds Welch. “Cyber attackers have this sort of invulnerability and anonymity and they’re doing it from across the world. When they keep attacking, it’s like the idea of monkeys typing randomness until they eventually produce Shakespeare.”
ABOUT THE SWAMP
The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.
Morgridge Institute for Research
The SWAMP team will be joining the DHS Science and Technology booth #1336 in the business hall on Wednesday, August 8 and Thursday, August 9. We will be demoing SWAMP software, providing information about our project, and answering your questions. You are invited to stop by the DHS S&T booth for a 10-minute presentation at the following times:
- Wednesday, August 8 – 12:15-12:30pm & 5:15-5:30pm
- Thursday, August 9 – 12:15-12:30pm
FOR IMMEDIATE RELEASE:
December 21, 2017
Madison-based SWAMP and Synopsys join forces to educate the future cybersecurity workforce
MADISON, WI–(GlobeNewswire – December 21, 2017) –
The Software Assurance Marketplace (SWAMP) has partnered with Synopsys, an industry leader in software security and quality, to expand its suite of assurance tools in support of the academic community.
In support of educators training the next generation of software developers on secure coding practices, the SWAMP’s continuous assurance platform has added Synopsys Static Analysis (Coverity), a widely used static analysis tool produced by Synopsys, that scans C and C++, the programming languages used by more than one in five programmers worldwide. Synopsys Static Analysis (Coverity), which was recently named a Leader in The Forrester Wave: Static Application Security Testing, marks the fourth industry tool incorporated into the SWAMP’s open and accessible assurance facility. As a result of this partnership, educators can integrate Coverity into their curricula through the SWAMP at no cost.
“Synopsys Static Analysis (Coverity) is a widely respected tool in the software assurance community and is a valuable addition to the SWAMP,” says Barton Miller, University of Wisconsin-Madison professor of computer science and chief scientist of the SWAMP.
“We see a critical need to increase the workforce trained in the best practices of software security,” adds Miller. “Our partnership with Synopsys significantly furthers our efforts to reach educators and provide more trained practitioners.”
“Joining forces with Synopsys in including award-winning software assurance capabilities in our marketplace is an important step in the implementation of our vision,” says Miron Livny, SWAMP director and chief technology officer for the Morgridge Institute for Research. “Our goal at SWAMP is to establish an assurance ecosystem by incorporating a rich suite of tools, and in adding Synopsys Static Analysis (Coverity), we make a significant step in achieving this goal in support of education and cybersecurity workforce development.”
The SWAMP has a unique focus on workforce development and is partnering with universities to integrate software assurance into the curriculum. Miller says the Synopsys Static Analysis (Coverity) launch will be especially valuable to the academic community since the C and C++ languages are commonly used in educational settings. Students who are learning to code and refine their programming skills will have an additional tool to evaluate their software for errors, expanding their resources for developing dependable and secure code.
Few aspects of everyday life are not touched by software, from commerce to energy to healthcare sectors. Weaknesses in software code are the most common targets of security breaches. The SWAMP’s goal is to help eliminate those weaknesses before they are deployed and become exploited vulnerabilities by integrating effective software assessment techniques into the developer’s work cycle.
Its most important benefit to developers and educators has been providing an integrated, one-stop environment for programmers to analyze their code across a wide range of commercial and open-source tools — and providing the combined feedback in a single results viewer.
For more information about capabilities offered by the SWAMP, visit www.mir-swamp.org.
ABOUT THE SWAMP
The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance technologies and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools.
Morgridge Institute for Research
The SWAMP team will be presenting a webinar for the Cyber Security & Information Systems Information Analysis Center (CSIAC) on Tuesday, September 12, 2017 from 12:00pm to 1:00pm Eastern Time. This free webinar will provide an Overview of the Software Assurance Marketplace and SWAMP-in-a-Box. More details about the webinar and how to register can be found here.
If you are attending the 2017 DHS CyberSecurity R&D Showcase in D.C. this week, the SWAMP will be presenting on Wednesday, July 12th at 11:10am as part of Track 1. The event will be held at the Mayflower Hotel in Washington, D.C. from Tuesday, July 11th through Thursday, July 13th. The R&D Showcase and Technical Workshop is sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate’s Cyber Security Division (CSD) and is the federal government’s largest cybersecurity research and development conference. Visit the event website for more information.