Category Archives: mir-swamp.org

Updates on mir-swamp.org

The following updates are now available in the SWAMP at mir-swamp.org! New

  • The SWAMP now supports the upload and assessment of .NET packages that can be built using msbuild on Linux. SWAMP automatically reviews Solution and .NET project files and determines which can be built using a framework that does not require Windows. Users can then select which of those .NET projects to assess.
  • We added three tools for the assessment of .NET packages on a Linux platform: Code Cracker v1.1.0, devskim 0.1.10, and Security Code Scan 2.7.1.
  • GitHub Webhooks can now be configured to update SWAMP packages. When the GitHub Webhook is triggered, a new package version will be added to an existing SWAMP package. Package parameters are copied from the previous package version and used with a new archive of package code cloned from GitHub. Users can edit package information to get the Payload URL and set the Secret Token needed to configure a GitHub Webhook to the SWAMP.
  • A new schedule is now available for use in all projects. This schedule, “On Push,” runs assessments whenever a new push to a GitHub repository triggers a GitHub Webhook to generate a new Package Version in the SWAMP. This schedule works with an assessment for the “latest” version of a package that is configured to update based on a GitHub Webhook trigger.
  • SWAMP packages can now be generated via an External URL that points to a downloadable archive.
  • When a new SWAMP user account is created, a default project called “MyProject” is created automatically. “MyProject” is now viewable in the SWAMP user interface. Users are not able to edit or invite additional members to their “MyProject” projects. All packages users upload to the SWAMP are automatically shared with their “MyProject” project.
  • For users who are owners or members of multiple projects, the associated project is now displayed for records on the Package, Assessments, Assessment Results, and Scheduled Assessment Runs pages. Additionally, users can specifically set the project to use when adding new assessments.
  • The Build Script for a package version is now displayed on a separate pop-up, accessed by clicking the Show Build Script button. This applies to the Build page for adding new packages, adding a new package version to existing packages, and viewing and editing an existing package version.
  • When adding a package or package version for C/C++ or Java Source Code without a build system, users can now specify a “build path” (relative to the package path) that specifies the (non-recursive) directory containing the compilable files to assess. SWAMP now does a better job of informing users about the files that are selected to compile and assess.
  • SWAMP now does a better job of informing users about the files that are selected to assess for Ruby, Python, and Web Scripting packages with a build system of “none.”
  • The SWAMP Native Results Viewer now correctly displays the primary bug location instead of the first bug located for weaknesses reported by tools that include multiple bug locations.
  • The SWAMP discontinued support for the Ubuntu 10.04 assessment platform.
  • SWAMP-in-a-Box v1.34 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at support@continuousassurance.org.

GrammaTech Adds Real World Benchmarks to SWAMP

FOR IMMEDIATE RELEASE:
January 31, 2019

GrammaTech Adds Real World Benchmarks to SWAMP

MADISON, WI – (January 31, 2019) – Software development and quality managers that are looking to measure the benefit of static analysis now have a platform to do just that. GrammaTech, under contract for the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), has created independent real-world benchmarks that are now available in the Software Assurance Marketplace (SWAMP).

Several different synthetic benchmarks exist that can be used to measure how well static analysis tools perform in detecting bugs. However, many of these have limitations with the code paths typically being too simple. GrammaTech, under contract for DHS S&T, has created BugInjector, a tool that can inject Common Weakness Enumeration (CWE) based bug patterns into existing code bases, thus delivering real-world benchmarks. The BugInjector tool is available directly from GrammaTech to inject bugs into private code bases for training purposes. Additionally, four different real-world code bases (nginx, grep, sqlite, lighttpd) have been injected with bugs and are available through the Software Assurance Marketplace, enabling users to easily benchmark how well their static analysis tools are able to find these bugs in realistic code paths.

“There is an urgent need for benchmarks, such as those from GrammaTech, to allow software developers to evaluate static analysis tools in a comprehensive and real-world setting,” says Barton Miller, Professor of Computer Sciences at the University of Wisconsin – Madison and Chief Scientist of SWAMP. “Also, developers of static analysis tools now have the ability to enhance their tools or benchmark new static analysis technologies with realistic test cases. Integrating these benchmarks into the SWAMP platform increases their effectiveness and availability.”

“GrammaTech CodeSonar® has always focused on highest recall,” says Paul Anderson, VP of Engineering at GrammaTech, Inc. “Many tools claim that they can catch a particular CWE, but there has never been a way to measure how well tools perform if this CWE is hidden deep inside a code path. BugInjector provides an automated way to objectively measure static analysis tool recall; interested parties can now evaluate CodeSonar®’s market leading recall against other tools easily.”

The Software Assurance Marketplace’s static analysis capabilities are available for use in the cloud or on-premise at no cost. Interested parties can sign up to use the SWAMP at mir-swamp.org and find the BugInjector test cases on the Resources page under Packages. After selecting a package and version containing a CWE of interest, users can run an assessment of the chosen “bug injected” software using one or more software assurance tools. GrammaTech CodeSonar® is one of the commercial tools that is integrated into the SWAMP, along with many other open source static analysis tools. Users can also download BugInjector test cases to run against tools they are developing.

ABOUT GRAMMATECH

GrammaTech’s advanced static analysis tools are used by software developers worldwide, spanning a myriad of embedded software industries including avionics, government, medical, military, industrial control, and other applications where reliability and security are paramount. Originally developed within Cornell University, GrammaTech is now a leading research center for software security and a commercial vendor of software-assurance tools and advanced cyber-security solutions. With both static and dynamic analysis tools that analyze source code as well as binary executables, GrammaTech continues to advance the science of superior software analysis, providing technology for developers to produce safer software. For more information, visit www.grammatech.com or follow us on LinkedIn.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 500 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

https://www.prnewswire.com/news-releases/grammatech-adds-real-world-benchmarks-to-swamp-300787603.html
http://news.grammatech.com/grammatech-adds-real-world-benchmarks-to-swamp

SWAMP Instructional Videos

SWAMP Chief Scientist and PI, Bart Miller, along with his colleague, Elisa Heymann, from the University of Wisconsin-Madison’s Computer Sciences department created an educational guide to using the SWAMP: https://vimeo.com/255608773. Be sure to check out their video and links to all of the other SWAMP recordings, webinars, etc. on our website: https://continuousassurance.org/about-us/video-tutorials/.

SWAMP Plug-Ins Updates

Updates are now available for the following SWAMP plug-ins:

If a user submits an assessment with a tool that they do not have permission to use, the assessment is not submitted and an error is reported to the user.

SWAMP plug-ins can be found in the Jenkins and Eclipse marketplaces and on GitHub: https://github.com/mirswamp.

New Updates on MIR-SWAMP.org

The following updates were made to the SWAMP at mir-swamp.org.

  1. We have updated the Acceptable Use Policy (AUP) for the SWAMP. The updated AUP replaces all previous versions.
  2. We’ve replaced version 10.3.3 of Parasoft C/C++test and Jtest with version 10.3.4.
  3. We’ve added version 10.4.0 of Parasoft C/C++test and Jtest.
  4. The Native viewer is now the default results viewer selected on the Assessment Results page.
  5. General enhancements and bug fixes

Please let us know if you have any questions at support@continuousassurance.org.

 

Want to fight cyberthreats? Start with clean code

FOR IMMEDIATE RELEASE:
August 8, 2018

Want to fight cyberthreats? Start with clean code

MADISON, WI – (August 8, 2018) – Barton Miller has a surprise for his University of Wisconsin-Madison class of 250 software programming undergraduates this fall: No code assignment is complete until it’s declared weakness-free by a suite of software analysis tools.

“You’re not going to get extra points,” he says. “It’s just that you can turn in your code only when it comes through clean.”

That may sound stringent, but Miller is confident it won’t be such a chore. His students will be directed to the Software Assurance Marketplace, or SWAMP, a powerful software assurance platform designed to make the detection of potential software weakness as quick and painless as possible.

The SWAMP offers more than 30 open-source and commercial static code analysis tools fully integrated into its automated platform. Leading commercial tool providers in the SWAMP include Synopsys, Parasoft, and GrammaTech, all household names with programmers.

“For the students, using the SWAMP is to feel the freedom that they are not handcuffed to a single tool,” Miller says, likening the SWAMP experience to taking multiple medications to manage a chronic disease. “Each medication may not solve the whole problem, but it may have a strength that other medications don’t have.”

Launched five years ago, the SWAMP is now coming into its own as a free, portable, one-stop source for programmers to tighten up their code — and, in turn, shore up the most frequent target of cyberattacks. The project is funded by the Department of Homeland Security and is led by the Morgridge Institute for Research in close collaboration with partners at UW-Madison, Indiana University, and the University of Illinois.

Miller’s classroom experiment represents an important front for the SWAMP as it aims to advance continuous assurance on software security. Software assurance is for the most part missing from the undergraduate coding curriculum and is often relegated to separate security-based courses. Miller, a UW-Madison computer science professor and chief scientist of the SWAMP, says the goal is to create “turnkey resources” such as video tutorials for computer science instructors to plug it into their courses.

Experience gained this fall from Miller’s course will be used as a blueprint for integrating software assurance into lecture-size coding courses at other institutions. The SWAMP platform was designed to support “scaling-out” in support of wide-scale usage.

Miron Livny, SWAMP director and chief technology officer, says that partnering with the educational community is key because the software security challenge has strong behavioral elements that need to be addressed in the beginning stages of software development teaching. Raising awareness early among future developers, and providing integrated tools like the SWAMP, will help make software assurance a continuous activity in the software life-cycle.

Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research and SWAMP chief information security officer, says the greatest contribution of the SWAMP has been to provide empowerment in what seems like an unwinnable scenario.

“The whole ecosystem of software has just exploded with iPhones and Android phones and software doing a lot for our lives these days,” he says. “It’s easy to be sort of abstractly aware of the security challenge, but we’re giving developers a tool to do something concrete about it.”

The project also yielded an application called “SWAMP-in-a-Box,” which enables developers to deploy the platform locally on their private network to address security and privacy concerns. In 2018 to date, more than 34,000 software assessments have been run in the SWAMP, covering hundreds of millions of lines of code.

Companies and organizations also have been active in the SWAMP. Partners on specialized assurance projects include the Department of Defense, defense contractors, and commercial companies certifying software.

Cyberattacks are only getting worse as software proliferates into every corner of life. Operating systems that once could support a few thousand applications can now support as many as 3 million. Things got remarkably bad in 2017 with 159,700 cyberattacks targeting businesses —nearly doubling the previous year’s total, according to the Online Trust Alliance.

One example from last year serves as a “poster child” for business catastrophe, Miller says. Dutch-based Maersk Shipping, representing almost one-fifth of all the world’s cargo shipping, was hit with the “NotPetya” ransomware virus that wiped out all 45,000 of the company’s computers. The result snarled global shipping traffic and cost the company $300 million in repairs.

“One of the challenges in cybersecurity right now is the attackers get unlimited attempts,” adds Welch. “Cyber attackers have this sort of invulnerability and anonymity and they’re doing it from across the world. When they keep attacking, it’s like the idea of monkeys typing randomness until they eventually produce Shakespeare.”

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

Contact:
Brian Mattmiller
Morgridge Institute for Research
608-316-4332
bmattmiller@morgridge.org

https://morgridge.org/story/want-to-fight-cyberthreats/
https://news.wisc.edu/want-to-fight-cyberthreats-start-with-clean-code/

SWAMP updates for mir-swamp.org

The following updates are now available at mir-swamp.org: New

  • The Ubuntu 16.04 platform has been updated to reduce the frequency of assessment failures.
  • Fixes were made to prevent Ruby assessment failures.
  • When using the latest versions of the Safari web browser, you can now create a new package or package version using a GitHub URL.
  • C assessments now support the arm cross compiler.
  • Phone support is no longer available. For SWAMP support, please email support@continuousassurance.org. To report a security incident, please email security@continuousassurance.org. The Contact Us form has been removed from the Contact page.
  • SWAMP-in-a-Box v1.33.1 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at support@continuousassurance.org.

« Older Entries