Category Archives: Software Assurance

From Continuous Integration to Continuous Assurance

The SWAMP team at the University of Wisconsin-Madison’s Computer Sciences department released a new whitepaper titled “From Continuous Integration to Continuous Assurance.” The paper describes how the SWAMP can be integrated into the continuous assurance workflow, including integrated development environments, source code management systems, and continuous integration systems. Read the full document here.

Citation information for the white paper is below.

MLA: Kupsch, James A., Miller, Barton P., Basupalli, Vamshi, and Burger, Josef. “From Continuous Integration to Continuous Assurance.” Continuous Software Assurance Marketplace, 13 Apr. 2017. Web. <https://www.swampinabox.org/doc/SWAMP-WP005-DevProcess.pdf>.

APA: Kupsch, J.A., Miller, B.P., Basupalli, V., & Burger, J. (2017, April 13). From Continuous Integration to Continuous Assurance [PDF file]. Continuous Software Assurance Marketplace. Retrieved from https://www.swampinabox.org/doc/SWAMP-WP005-DevProcess.pdf

SWAMP-in-a-Box Update 1.29

SWAMP-in-a-Box version 1.29 is now available for download! The latest files are on GitHub, or you can download the install files here. Noteworthy changes include:New

  • Added support for 5 new programming languages: CSS, HTML, JavaScript, PHP, and XML.
  • Addition of 9 assessment tools for web scripting languages: CSS Lint (for CSS), ESLint (for JavaScript), Flow (for JavaScript), HTML Tidy (for HTML and XML), JSHint (for JavaScript or HTML files with inline JavaScript), PHPMD (for PHP), PHP_CodeSniffer (for PHP, JavaScript, and CSS), Retire.js (for JavaScript), and XML Lint (for XML).
  • Added new versions and/or updates for the following assessment tools: Bandit, Flake8, Pylint, checkstyle, OWASP Dependency Check, error-prone, FindBugs, and PMD.
  • When adding a new package or adding a new version to an existing package, users have the option to select an archive file from the local file system or enter an external URL and a checkout argument (branch, tag, or commit) for a remote Git repository.
  • Improved error reporting for assessment failures. Successful assessment runs are no longer erroneously reported as having finished with errors. Assessments that complete with a status of “finished with errors – retry” can be re-run and should complete successfully.
  • Updated the “Status.out and Debugging SWAMP Failures” document to assist with debugging failed assessments. Failed assessments now show the contents of the status.out file at the top of the Failed Assessment Report (by clicking the “! Error” button in the Results column).
  • The names of the statuses shown on the Results page have been updated to better indicate what is happening as assessment jobs are processed.
  • Minimum hardware requirements have increased to 4 CPU cores and 16 GB of RAM.

Let us know if you have any questions at sib@continuousassurance.org.

See SWAMP at OSCON 2017

If you will be in Austin, TX this May for OSCON 2017, stop by to see the SWAMP Team! When registering for the conference, use our discount code, SWAMP25, to save 25% on your admission, and be sure to look out for the Software Assurance Marketplace in Booth #518 on May 10th and 11th!

Several SWAMP team members will be giving presentations at the conference, in addition to demoing the latest enhancements to SWAMP and SWAMP-in-a-Box!

OSCON 2017 Exhibiting Banner

SWAMP-in-a-Box Update 1.28.2

Greetings, SWAMP-in-a-Box community.

SWAMP-in-a-Box build 1.28.2.33 is a security release addressing a privilege escalation vulnerability found in a pentest by Black Hills Infosec. We’d like to thank them for their thorough and professional work on behalf of the SWAMP project.

The vulnerability allows authenticated SWAMP users to obtain unauthorized administrative rights. At this time, we do not believe the vulnerability is known outside of the SWAMP team or being actively exploited, but we recommend SWAMP-in-a-Box deployers upgrade to this latest version as soon as possible. If you are unable to upgrade, you should disable any untrusted users as a temporary mitigation.

Additionally, we have updated the SWAMP-in-a-Box install/upgrade script to be tied to HTCondor version 8.4.11. Please contact us if you are currently running HTCondor version 8.6.0.

Packages for new installs can be found at https://github.com/mirswamp/deployment (GitHub) and https://platform.swampinabox.org/siab-latest-release/ (SWAMP read-only server).

Instructions for upgrading can be found in README-UPGRADE.md.

SWAMP Supports CodeSonar and Web Scripting Languages!

Today, the SWAMP released several new and exciting updates which are now available on mir-swamp.org! New

  • GrammaTech’s CodeSonar static analysis tool has been added to assess C/C++ packages. Users must request access, agree to the EULA, and receive permission before using this tool in the SWAMP.
  • We added support for 5 new programming languages: CSS, HTML, JavaScript, PHP, and XML.
  • We added 9 new assessment tools for web scripting languages:
    • CSS Lint (for CSS)
    • ESLint (for JavaScript)
    • Flow (for JavaScript)
    • HTML Tidy (for HTML and XML)
    • JSHint (for JavaScript or HTML files with inline JavaScript)
    • PHPMD (for PHP)
    • PHP_CodeSniffer (for PHP, JavaScript, and CSS)
    • Retire.js (for JavaScript)
    • XML Lint (for XML)
  • We added several new sample curated packages for the web scripting languages on the Resources tab under Packages.
  • We added new versions and/or updates for the following assessment tools: Bandit, Flake8, Pylint, checkstyle, OWASP Dependency Check, error-prone, FindBugs, PMD.
  • When adding a new package or adding a new version to an existing package, users have the option to select an archive file from the Local File System or enter an external URL and a checkout argument (branch, tag, or commit) for a Remote Git Repository.
  • Improved error reporting for assessment failures. Assessments that complete with a status of “finished with errors – retry” can be re-run and should complete successfully.
  • Updated the “Status.out and Debugging SWAMP Failures” document on the Help page to assist with debugging failed assessments. Failed assessments now show the contents of the status.out file at the top of the Failed Assessment Report (by clicking the “! Error” button in the Results column).
  • Added a Compatibility tab to the Package Version view to show platform compatibility information for curated packages.
  • The names of the statuses shown on the Results page have been updated to better indicate what is happening as assessment jobs are processed.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP Is Coming to OSCON 2017!

Are you headed to Austin, TX in May for OSCON 2017? If so, today is the last day to get the “Best Price” on conference passes. Use our discount code, SWAMP25, to save 25% on your admission, and be sure to look out for the Software Assurance Marketplace in Booth #518 at OSCON on May 8-11!

Our team members will be giving several presentations at the conference, as well as demoing the latest enhancements to SWAMP and SWAMP-in-a-Box!

 

SWAMP-in-a-Box Update 1.28.1

SWAMP-in-a-Box has been updated to version 1.28.1! The latest files are available on GitHub, or you can download the install files here. New

  • All platforms have been updated and will work without internet access as long as your package doesn’t require internet access to build.
  • All assessments will default to use the Ubuntu Linux version 16.04.
  • New installs of SWAMP-in-a-Box only come with 1 platform, allowing you to pick and choose additional platforms from our read-only server.
  • Ability to download assessment results in XML format for assessments that have finished successfully with at least one weakness reported.
  • Addition of the “Status.out and Debugging SWAMP Failures” document to assist with debugging failed assessment runs.
  • Addition of the OWASP Dependency Check assessment tool to assess Java Source and Java Bytecode packages.
  • Updates to the following assessment tools: Bandit, Clang Static Analyzer, and cppcheck.

Let us know if you have any questions at sib@continuousassurance.org.

« Older Entries