Category Archives: Open Source

Software Assurance Conference 2018

The SWAMP will be presenting and demonstrating at Software Assurance Conference 2018! SwACon is a software assurance (SwA) conference dedicated to advancing the state of the art in software assurance disciplines. The theme of this year’s event is open source tools and techniques that are available for SwA activities. The event is hosted by the Software Engineering Institute (SEI) in collaboration with the DoD Joint Federated Assurance Center (JFAC).

SwACon 2018 will be held on Tuesday, November 27 at the NRECA Conference Center (4301 Wilson Blvd. Arlington, VA – 1st floor). There will be presentations all day, roughly from 9am to 5pm Eastern, and you may attend only selected presentations, if needed. The event is free of charge but does require advance registration. Remote participation will also be available. To register, email swamp@continuousassurance.org for details before November 18.

 

Agenda:

SwACon 2018
November 27th, 2018
NRECA Conference Center (1st floor)
Arlington, VA

8:45AM to 9:30AM    Check-in and Registration; Light breakfast items to be served

9:30AM to 10:45AM   Getting Started with ROSE Compiler Infrastructure – Dan Quinlan

ROSE is an open source compiler infrastructure to build source-to-source program transformation and analysis tools for large-scale C (C89 and C98), C++ (C++98 and C++11), UPC, Fortran (77/95/2003), OpenMP, Java, Python, and PHP applications. ROSE is developed at Lawrence Livermore National Laboratory (LLNL). Presented by Dr. Dan Quinlan, LLNL.

10:45AM to 11:00AM  Morning beverage break

11:00AM to 12:00PM  Introduction to Binary Analysis with Pharos – Cory Cohen

The SEI’s Pharos project is an open-source static binary analysis framework that is primarily targeted at malware analysis but can also be used for software assurance tasks. Presented by Cory Cohen, SEI.

12:00PM to 1:00PM   Lunch break – participants on their own for lunch

1:00PM to 2:30PM    Introduction to Software Assurance Marketplace (SWAMP) - Von Welch & Brian Aydemir

Join us to learn about the Software Assurance Marketplace (SWAMP) – a Continuous Software Assurance Platform. During this presentation, we will introduce the SWAMP project and team, describe SWAMP’s capabilities, present a live demo, and explain how you can start using the SWAMP. Presented by Von Welch, Director of Indiana University – Center for Applied Cybersecurity Research (CACR) & Brian Aydemir, Systems Integration Developer, Morgridge Institute for Research/SWAMP.

2:30PM to 2:45PM    Afternoon break; Light snacks to be served

2:45PM to 3:45PM    Securing Software with Trail of Bits – Peter Goodman & Trent Brunson

3:45PM to 3:55PM    Short transition break

3:55PM to 4:55PM    Introduction to Source Code Analysis Laboratory (SCALe)  - Lori Flynn

SWAMP-in-a-Box Update v1.33.4

SWAMP-in-a-Box version 1.33.4 is now available from GitHub or the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • An updated version of the Ubuntu Linux version 16.04 platform is now available and will be automatically installed with SWAMP-in-a-Box 1.33.4.
  • SWAMP-in-a-Box now automatically re-tries (up to three additional times) assessments that finish with an error related to networking. This includes assessments for which a VM does not have network connectivity or for which OS dependencies cannot be installed. In many cases, these assessments succeed on the first retry.
  • SWAMP-in-a-Box administrators can now configure which viewer is initially selected on the Assessment Results page. When SWAMP-in-a-Box 1.33.4 is installed, this configuration is set to use the Native Viewer. Note that this is only applicable if a third-party viewer has been added to SWAMP-in-a-Box.
  • Parasoft C/C++test versions 10.3.4 and 10.4.0 can now be added to a SWAMP-in-a-Box installation. You must license Parasoft C/C++test and obtain either the 32-bit or 64-bit tool archive files separately from Parasoft.
  • Parasoft Jtest versions 10.3.4 and 10.4.0 can now be added to a SWAMP-in-a-Box installation. You must license Parasoft Jtest and obtain the 64-bit tool archive files separately from Parasoft. 
  • General enhancements and bug fixes.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP Plug-Ins Updates

Updates are now available for the following SWAMP plug-ins:

If a user submits an assessment with a tool that they do not have permission to use, the assessment is not submitted and an error is reported to the user.

SWAMP plug-ins can be found in the Jenkins and Eclipse marketplaces and on GitHub: https://github.com/mirswamp.

SWAMP Plug-Ins Updates

Updates are now available for the following pieces of SWAMP open-source software!

  • Java-CLI version 1.5.3
  • SWAMP-Jenkins-Plugin version 1.2.2
  • SWAMP-Eclipse-Plugin version 1.1.3

These updates address a cookie expiration issue that was impacting plug-ins used with SWAMP-in-a-Box instances that did not have the time set to current.

SWAMP plug-ins can be found in the Jenkins and Eclipse marketplaces and on GitHub: https://github.com/mirswamp.

SWAMP is coming to OSCON 2018!

O'Reilly Open Source Convention in Portland 2018
The SWAMP will be at OSCON 2018 this week, and we want to see you in Portland, OR! Use our discount code, SWAMP25, to save 25% on your Gold, Sliver, or Bronze OSCON pass, if you still need to register for the conference.

The Software Assurance Marketplace will be in Booth #322 on July 18-19. Our team will be demoing the latest enhancements to SWAMP and SWAMP-in-a-Box. Please stop by to hear about what the SWAMP project and continuous software assurance have to offer!

SWAMP-in-a-Box Update v1.33.1

SWAMP-in-a-Box version 1.33.1 is now available from GitHub or the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • Updated settings for the Ubuntu 16.04 platform to reduce the frequency with which assessments fail in the Install OS Dependencies step. The new platform file, condor-ubuntu-16.04-64-master-2018012491.qcow2, will be installed automatically with a SWAMP-in-a-Box upgrade to v1.33.1.
  • Fixes to prevent Ruby assessment failures
  • When using the latest versions of the Safari web browser, you can now create a new package or package version using a GitHub URL.
  • C assessments now support the arm cross compiler.
  • Configuration options for the Clang Static Analyzer tool. Please contact SWAMP support for details.
  • The swamp_check_install script (which is run at the end of an install or upgrade, but can also be run manually) has been updated so that it no longer incorrectly reports that the mysql service is not running on CentOS 6 with a recent yum update.
  • Ability to remove Sign-Up functionality to prevent additional users from signing up.
  • Phone support is no longer available. For SWAMP-in-a-Box support, please email sib@continuousassurance.orgorsupport@continuousassurance.org. To report a security incident, please emailsecurity@continuousassurance.org.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

« Older Entries