Category Archives: Press Release

Want to fight cyberthreats? Start with clean code

FOR IMMEDIATE RELEASE:
August 8, 2018

Want to fight cyberthreats? Start with clean code

MADISON, WI – (August 8, 2018) – Barton Miller has a surprise for his University of Wisconsin-Madison class of 250 software programming undergraduates this fall: No code assignment is complete until it’s declared weakness-free by a suite of software analysis tools.

“You’re not going to get extra points,” he says. “It’s just that you can turn in your code only when it comes through clean.”

That may sound stringent, but Miller is confident it won’t be such a chore. His students will be directed to the Software Assurance Marketplace, or SWAMP, a powerful software assurance platform designed to make the detection of potential software weakness as quick and painless as possible.

The SWAMP offers more than 30 open-source and commercial static code analysis tools fully integrated into its automated platform. Leading commercial tool providers in the SWAMP include Synopsys, Parasoft, and GrammaTech, all household names with programmers.

“For the students, using the SWAMP is to feel the freedom that they are not handcuffed to a single tool,” Miller says, likening the SWAMP experience to taking multiple medications to manage a chronic disease. “Each medication may not solve the whole problem, but it may have a strength that other medications don’t have.”

Launched five years ago, the SWAMP is now coming into its own as a free, portable, one-stop source for programmers to tighten up their code — and, in turn, shore up the most frequent target of cyberattacks. The project is funded by the Department of Homeland Security and is led by the Morgridge Institute for Research in close collaboration with partners at UW-Madison, Indiana University, and the University of Illinois.

Miller’s classroom experiment represents an important front for the SWAMP as it aims to advance continuous assurance on software security. Software assurance is for the most part missing from the undergraduate coding curriculum and is often relegated to separate security-based courses. Miller, a UW-Madison computer science professor and chief scientist of the SWAMP, says the goal is to create “turnkey resources” such as video tutorials for computer science instructors to plug it into their courses.

Experience gained this fall from Miller’s course will be used as a blueprint for integrating software assurance into lecture-size coding courses at other institutions. The SWAMP platform was designed to support “scaling-out” in support of wide-scale usage.

Miron Livny, SWAMP director and chief technology officer, says that partnering with the educational community is key because the software security challenge has strong behavioral elements that need to be addressed in the beginning stages of software development teaching. Raising awareness early among future developers, and providing integrated tools like the SWAMP, will help make software assurance a continuous activity in the software life-cycle.

Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research and SWAMP chief information security officer, says the greatest contribution of the SWAMP has been to provide empowerment in what seems like an unwinnable scenario.

“The whole ecosystem of software has just exploded with iPhones and Android phones and software doing a lot for our lives these days,” he says. “It’s easy to be sort of abstractly aware of the security challenge, but we’re giving developers a tool to do something concrete about it.”

The project also yielded an application called “SWAMP-in-a-Box,” which enables developers to deploy the platform locally on their private network to address security and privacy concerns. In 2018 to date, more than 34,000 software assessments have been run in the SWAMP, covering hundreds of millions of lines of code.

Companies and organizations also have been active in the SWAMP. Partners on specialized assurance projects include the Department of Defense, defense contractors, and commercial companies certifying software.

Cyberattacks are only getting worse as software proliferates into every corner of life. Operating systems that once could support a few thousand applications can now support as many as 3 million. Things got remarkably bad in 2017 with 159,700 cyberattacks targeting businesses —nearly doubling the previous year’s total, according to the Online Trust Alliance.

One example from last year serves as a “poster child” for business catastrophe, Miller says. Dutch-based Maersk Shipping, representing almost one-fifth of all the world’s cargo shipping, was hit with the “NotPetya” ransomware virus that wiped out all 45,000 of the company’s computers. The result snarled global shipping traffic and cost the company $300 million in repairs.

“One of the challenges in cybersecurity right now is the attackers get unlimited attempts,” adds Welch. “Cyber attackers have this sort of invulnerability and anonymity and they’re doing it from across the world. When they keep attacking, it’s like the idea of monkeys typing randomness until they eventually produce Shakespeare.”

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

Contact:
Brian Mattmiller
Morgridge Institute for Research
608-316-4332
bmattmiller@morgridge.org

https://morgridge.org/story/want-to-fight-cyberthreats/
https://news.wisc.edu/want-to-fight-cyberthreats-start-with-clean-code/

With SWAMP-in-a-Box, Bring Your Own License and Turbo-Charge Software Assurance

FOR IMMEDIATE RELEASE:
February 28, 2018

With SWAMP-in-a-Box, ‘Bring Your Own License’ and turbo-charge software assurance

MADISON, WI–(GlobeNewswire – February 28, 2018) – In the drive to reduce software security flaws, the Software Assurance Marketplace (SWAMP) project has enhanced its portable platform that brings a comprehensive suite of software assurance tools to the programmer’s desktop.

This open-source SWAMP-in-a-Box (SiB) platform now integrates more than 30 tools, both open source and commercial, into a customizable, easy to deploy capability, significantly reducing the barriers to entry for using such tools.

Using multiple tools to regularly scan software is the cornerstone of continuous assurance – the practice of integrating software assurance into the continuous cycle of modern software development. As a continuous assurance platform, SiB facilitates software assessment with multiple assurance tools. The new “Bring Your Own License” model allows organizations to integrate already-purchased commercial tools into their locally deployed SWAMP-in-a-Box instance.

Organizations need only to acquire a license for the commercial tools supported by SiB or use an existing license that they have acquired. The result is hassle-free continuous assessments with the tools of their choice. “Bring Your Own License” capabilities further the SWAMP’s goal of offering a one-stop continuous assurance resource for developers throughout the software development life cycle.

“We continuously receive requests from organizations who deploy SiB to add support for additional tools,” says Miron Livny, SWAMP director and chief technology officer. “In close collaboration with vendors, we work to integrate new commercial tools while maintaining the tool-neutrality of our platform. Our goal is to make the software assurance process simpler and more effective for all parties involved in the software assurance eco-system.”

While hundreds of software assurance tools are available to the development community, the SWAMP is working to maximize its impact by forging partnerships with industry-leading tool providers. Partnerships have been established with vendors such as Parasoft, Synopsys, GrammaTech, and PRQA. The SWAMP is actively seeking new partnerships with software assurance and security tool providers in both the commercial and open-source sectors.

“The vendors provide the state of the art assurance tools; we make the tools easy to run by making them a natural part of the programmer’s workflow and helping with the best configuration settings for each,” says Bart Miller, University of Wisconsin-Madison computer scientist and chief scientist for the SWAMP. “We not only help save time, but our continuous assurance platform will also help users get the maximum benefit out of their tools by doing all the configuration work up-front.”

Whether it be small businesses or individual developers, SiB gives organizations peace of mind that the tools are properly installed, maintained, and have the latest upgrades.

The SiB continuous assurance platform is freely available. It can be easily deployed, configured on local hardware, and placed behind a firewall. This allows all assessments to be run locally or with no outside connections, increasing privacy and security for organizations with sensitive and proprietary materials.

To learn more about integrating licensed software tools with SWAMP-in-a-Box, join a free webinar on Thursday, March 8 hosted by Parasoft. This webinar will provide a case-study overview of the SWAMP’s partnership with Parasoft.

Vendors interested in partnering with the SWAMP project may contact Project Manager Irene Landrum at 608-316-4114 or ilandrum@morgridge.org. Developers interested in learning more about SiB can visit: https://continuousassurance.org/swamp-in-a-box/.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

Contact:
Irene Landrum
Morgridge Institute for Research
608-316-4114
ilandrum@morgridge.org

 

Press Release

SWAMP and Synopsys join forces to educate the future cybersecurity workforce

FOR IMMEDIATE RELEASE:
December 21, 2017

Madison-based SWAMP and Synopsys join forces to educate the future cybersecurity workforce

MADISON, WI–(GlobeNewswire – December 21, 2017) –

The Software Assurance Marketplace (SWAMP) has partnered with Synopsys, an industry leader in software security and quality, to expand its suite of assurance tools in support of the academic community.

In support of educators training the next generation of software developers on secure coding practices, the SWAMP’s continuous assurance platform has added Synopsys Static Analysis (Coverity), a widely used static analysis tool produced by Synopsys, that scans C and C++, the programming languages used by more than one in five programmers worldwide. Synopsys Static Analysis (Coverity), which was recently named a Leader in The Forrester Wave: Static Application Security Testing, marks the fourth industry tool incorporated into the SWAMP’s open and accessible assurance facility. As a result of this partnership, educators can integrate Coverity into their curricula through the SWAMP at no cost.

“Synopsys Static Analysis (Coverity) is a widely respected tool in the software assurance community and is a valuable addition to the SWAMP,” says Barton Miller, University of Wisconsin-Madison professor of computer science and chief scientist of the SWAMP.

“We see a critical need to increase the workforce trained in the best practices of software security,” adds Miller. “Our partnership with Synopsys significantly furthers our efforts to reach educators and provide more trained practitioners.”

“Joining forces with Synopsys in including award-winning software assurance capabilities in our marketplace is an important step in the implementation of our vision,” says Miron Livny, SWAMP director and chief technology officer for the Morgridge Institute for Research. “Our goal at SWAMP is to establish an assurance ecosystem by incorporating a rich suite of tools, and in adding Synopsys Static Analysis (Coverity), we make a significant step in achieving this goal in support of education and cybersecurity workforce development.”

The SWAMP has a unique focus on workforce development and is partnering with universities to integrate software assurance into the curriculum. Miller says the Synopsys Static Analysis (Coverity) launch will be especially valuable to the academic community since the C and C++ languages are commonly used in educational settings. Students who are learning to code and refine their programming skills will have an additional tool to evaluate their software for errors, expanding their resources for developing dependable and secure code.

Few aspects of everyday life are not touched by software, from commerce to energy to healthcare sectors. Weaknesses in software code are the most common targets of security breaches. The SWAMP’s goal is to help eliminate those weaknesses before they are deployed and become exploited vulnerabilities by integrating effective software assessment techniques into the developer’s work cycle.

Its most important benefit to developers and educators has been providing an integrated, one-stop environment for programmers to analyze their code across a wide range of commercial and open-source tools — and providing the combined feedback in a single results viewer.

For more information about capabilities offered by the SWAMP, visit www.mir-swamp.org.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance technologies and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools.

###

Contact:
Brian Mattmiller
Morgridge Institute for Research
608-316-4332
bmattmiller@morgridge.org

 

Press Release

SWAMP is at OSCON 2017!

If you are in Austin, TX this week for OSCON 2017, the SWAMP Team wants to see you! If you still need to register for the conference, use our discount code, SWAMP25, to save 25% on your admission.

Visit the Software Assurance Marketplace in Booth #518 on May 10th and 11th! We will be demoing our new plug-ins along with the newest features in SWAMP-in-a-Box.

Several SWAMP team members will also be giving presentations during the conference:

Read more about the SWAMP’s activities here.

OSCON 2017 Exhibiting Banner

SWAMP Integrates Assurance Tools into the Software Continuous Lifecycle

FOR IMMEDIATE RELEASE:
May 2, 2017

SWAMP integrates assurance tools into the software continuous lifecycle

Moves mark a major step toward the SWAMP’s vision of continuous assurance

AUSTIN, TX–(Marketwired – May 02, 2017) – OSCON 2017 – The Software Assurance Marketplace (SWAMP) is partnering with major continuous integration systems used by software developers to make software assurance a simple and intuitive element of the development process.

The SWAMP offers a suite of plug-in modules that operate within many of the leading development lifecycle tools relied upon by code developers. Those include integrated development environments (IDEs) such as Eclipse; source code repositories such as GitHub and Subversion; and continuous integration systems such as Jenkins and Travis CI.

These environments, repositories and systems are dramatically improving software developers’ ability to manage workflow through the complex steps of designing, editing, testing and deployment. Given the increased awareness of the importance of developing safe and secure software, incorporating security tools into the continuous software process will make integration that much more efficient for developers.

“We want to ensure that someone going through the continuous integration process can take the extra step of software assurance, and just make it a natural part of the flow,” says Barton Miller, chief scientist of the SWAMP and professor of computer science at the University of Wisconsin-Madison.

“The goal is to fix security issues as soon as possible in the development cycle,” Miller adds. “Every security weakness fixed at the developer’s desktop has a trivial cost, but those same errors could cost millions to fix after release.”

With the push of a button, users in integrated development environment (IDEs) can start the testing process by having their code automatically packaged and sent to the SWAMP. The code will get analyzed across the multiple assurance tools hosted in the SWAMP and the results will be fed back into the IDE in a readable format, prioritizing flaws by level of severity.

Users with higher security thresholds can also run SWAMP analysis entirely in-house. Called “SWAMP-in-a-Box” (SiB), this free, self-contained version of continuous assurance capabilities can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise.

The SWAMP employs federated identity management protocols, so users will not need distinct login credentials for using the SWAMP plugins.

To access the free SWAMP plugins, visit: https://continuousassurance.org/plug-ins/.

“Between the source code repositories, the IDEs and the integration frameworks, we have tried to cover the entire spectrum of software development,” says Miller. “There are almost no real-world projects that don’t use one or more of these systems.”

“This new suite of plugins is a major step in translating the continuous assurance vision of the SWAMP into accessible and easy-to-deploy technologies,” says SWAMP Director Miron Livny, UW-Madison computer scientist and director of core computational technology for the Morgridge Institute for Research.

Miller and colleague Dr. Elisa Heymann will present a tutorial — “Secure Coding Practices and Automated Assessment Tools” — on Monday, May 8 from 9 a.m. – 1:30 p.m. at the O’Reilly OSCON 2017 conference in Austin. For more information, visit: https://conferences.oreilly.com/oscon/oscon-tx/public/schedule/speakers.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions — the Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison — to advance the capabilities and to increase the adoption of software assurance technologies through an open continuous assurance technologies and a shared facility. The SWAMP is funded by the Department of Homeland Security-Science & Technology Directorate. Services include access to 30 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their testing tools, and high throughput computing capacity.

For more information, visit continuousassurance.org.

###

Contact:
Barton Miller
608-263-3378
bart@cs.wisc.edu

Press Release

SWAMP-in-a-Box Available for Download!

FOR IMMEDIATE RELEASE:
October 13, 2016

‘SWAMP-in-a-Box,’ an on-premises continuous software assurance capability

MADISON — The Software Assurance Marketplace (SWAMP) project has launched a new version of its continuous assurance technologies that will allow the software assurance community to deploy local (private) instances of the SWAMP. This version augments the services provided by the public SWAMP facility that has been in operation for the past three years.

Called “SWAMP-in-a-Box” (SiB), this free, self-contained version can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise. This marks a major step in the SWAMP’s now four-year effort to bring continuous software assurance capabilities to mainstream code developers.

Following a closed-beta testing program with 12 different testers that included commercial and federal entities, the open-beta SiB version is available for download at https://github.com/mirswamp/deployment and is distributed under an Apache open source license.

The SWAMP project was launched in 2012 by the Department of Homeland Security-Science & Technology Directorate to advance the effectiveness of software assurance technologies and to expand their adoption by software developers. The SWAMP’s key characteristics are providing an integrated, one-stop environment for developers to analyze their code with multiple tools and offering a unified assessment results viewer.

The current version of SWAMP-in-a-Box includes 15 open source tools, and in future releases, SiB will support integration with locally licensed commercial tools. These tools cover five languages that can be assessed on five platforms.

“SWAMP-in-a-Box is a significant step toward promoting a culture of continuous assurance throughout the software development community,” says Miron Livny, chief technology officer for the Morgridge Institute for Research and director of the SWAMP project. “It enables organizations that are reluctant to have their code assessed remotely to bring the power of the SWAMP to the keyboards of their developers.”

Commercial and government organizations can integrate the SWAMP-in-a-Box into their local software development environment, including local continuous integration services, using the open SWAMP APIs. “We are currently working on additional integration options for future SWAMP-in-a-Box releases, such as the ability to use the organization’s existing identity and access management capabilities rather than requiring users to create new SWAMP-in-a-Box accounts,” says Jim Basney, SWAMP co-principal investigator and identity management lead from the University of Illinois at Urbana-Champaign.

SiB includes a SWAMP-specific version of the Code Dx software that consolidates software vulnerabilities detected by multiple assessment tools. The Code Dx software is an important part of the ability of the SWAMP to aggregate the strengths of multiple tools into an effective software assurance capability.

Continuous software assurance leads to a significant return on investment, adds Livny, noting that it is much more labor intensive to detect and resolve software weaknesses in the final stages of the software development life cycle than it is to address them throughout the software development and deployment processes.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through an open and shared facility. The SWAMP is funded by the Department of Homeland Security-Science & Technology Directorate. Services include access to 19 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their testing tools, and high throughput computing capacity.

For more information, visit continuousassurance.org.

###

Editorial Contact:
Brian Mattmiller
bmattmiller@morgridge.org
608-316-4332

Press Release

Improving Cybersecurity Education with SWAMP

Bowie State University LogoIn a time when million-dollar security breaches of household name corporations regularly make headlines, computer science undergraduates at America’s universities remain surprisingly underexposed to basic cybersecurity tactics. The Software Assurance Marketplace (SWAMP) has been working to address this skills gap through a unique partnership with Bowie State University in Maryland. The SWAMP offers a rich and accessible suite of software security tools that Bowie State has been integrating into undergraduate coding courses, giving students an efficient way to examine and rid their code of security weaknesses. The partnership offers a national model for integrating cybersecurity into the curriculum.

Read the full article

« Older Entries