Category Archives: Software Assurance

SWAMP-in-a-Box Update 1.28.2

Greetings, SWAMP-in-a-Box community.

SWAMP-in-a-Box build 1.28.2.33 is a security release addressing a privilege escalation vulnerability found in a pentest by Black Hills Infosec. We’d like to thank them for their thorough and professional work on behalf of the SWAMP project.

The vulnerability allows authenticated SWAMP users to obtain unauthorized administrative rights. At this time, we do not believe the vulnerability is known outside of the SWAMP team or being actively exploited, but we recommend SWAMP-in-a-Box deployers upgrade to this latest version as soon as possible. If you are unable to upgrade, you should disable any untrusted users as a temporary mitigation.

Additionally, we have updated the SWAMP-in-a-Box install/upgrade script to be tied to HTCondor version 8.4.11. Please contact us if you are currently running HTCondor version 8.6.0.

Packages for new installs can be found at https://github.com/mirswamp/deployment (GitHub) and https://platform.swampinabox.org/siab-latest-release/ (SWAMP read-only server).

Instructions for upgrading can be found in README-UPGRADE.md.

SWAMP Supports CodeSonar and Web Scripting Languages!

Today, the SWAMP released several new and exciting updates which are now available on mir-swamp.org! New

  • GrammaTech’s CodeSonar static analysis tool has been added to assess C/C++ packages. Users must request access, agree to the EULA, and receive permission before using this tool in the SWAMP.
  • We added support for 5 new programming languages: CSS, HTML, JavaScript, PHP, and XML.
  • We added 9 new assessment tools for web scripting languages:
    • CSS Lint (for CSS)
    • ESLint (for JavaScript)
    • Flow (for JavaScript)
    • HTML Tidy (for HTML and XML)
    • JSHint (for JavaScript or HTML files with inline JavaScript)
    • PHPMD (for PHP)
    • PHP_CodeSniffer (for PHP, JavaScript, and CSS)
    • Retire.js (for JavaScript)
    • XML Lint (for XML)
  • We added several new sample curated packages for the web scripting languages on the Resources tab under Packages.
  • We added new versions and/or updates for the following assessment tools: Bandit, Flake8, Pylint, checkstyle, OWASP Dependency Check, error-prone, FindBugs, PMD.
  • When adding a new package or adding a new version to an existing package, users have the option to select an archive file from the Local File System or enter an external URL and a checkout argument (branch, tag, or commit) for a Remote Git Repository.
  • Improved error reporting for assessment failures. Assessments that complete with a status of “finished with errors – retry” can be re-run and should complete successfully.
  • Updated the “Status.out and Debugging SWAMP Failures” document on the Help page to assist with debugging failed assessments. Failed assessments now show the contents of the status.out file at the top of the Failed Assessment Report (by clicking the “! Error” button in the Results column).
  • Added a Compatibility tab to the Package Version view to show platform compatibility information for curated packages.
  • The names of the statuses shown on the Results page have been updated to better indicate what is happening as assessment jobs are processed.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP Is Coming to OSCON 2017!

Are you headed to Austin, TX in May for OSCON 2017? If so, today is the last day to get the “Best Price” on conference passes. Use our discount code, SWAMP25, to save 25% on your admission, and be sure to look out for the Software Assurance Marketplace in Booth #518 at OSCON on May 8-11!

Our team members will be giving several presentations at the conference, as well as demoing the latest enhancements to SWAMP and SWAMP-in-a-Box!

 

SWAMP-in-a-Box Updates

SWAMP-in-a-Box has been updated to version 1.28.1! The latest files are available on GitHub, or you can download the install files here. New

  • All platforms have been updated and will work without internet access as long as your package doesn’t require internet access to build.
  • All assessments will default to use the Ubuntu Linux version 16.04.
  • New installs of SWAMP-in-a-Box only come with 1 platform, allowing you to pick and choose additional platforms from our read-only server.
  • Ability to download assessment results in XML format for assessments that have finished successfully with at least one weakness reported.
  • Addition of the “Status.out and Debugging SWAMP Failures” document to assist with debugging failed assessment runs.
  • Addition of the OWASP Dependency Check assessment tool to assess Java Source and Java Bytecode packages.
  • Updates to the following assessment tools: Bandit, Clang Static Analyzer, and cppcheck.

Let us know if you have any questions at sib@continuousassurance.org.

New SWAMP Updates

The SWAMP team is excited to announce that many new updates are available at mir-swamp.org! New

  • You can now sign up and sign in to use the SWAMP using your Google account or a University account affiliated with CI Logon. We also added the ability to link your existing SWAMP account with your Google or University account in order to sign in to the SWAMP.
  • We added the OWASP Dependency Check tool to assess Android Java Source, Android .apk, Java 7 and 8 Source, and Java 7 and 8 Bytecode packages.
  • We updated several assessment tools and all platform versions and dependencies.
  • The “Status.out and Debugging SWAMP Failures” document was added to the Help page to assist with debugging failed assessment runs. Error messages have also been improved in the Failed Assessment Run Report (accessed by clicking the Error “!” button on an assessment that finished with errors), as have reports of failed steps in the status.out file (found in the results.tar.gz archive, downloadable from a Failed Assessment Report).
  • You can now download assessment results in XML format. (For non-commercial assessments that finished successfully and have at least one weakness, the weakness count icon on the Assessment Results page is a link to download the scarf.xml file.)

Let us know if you have any questions at support@continuousassurance.org.

SWAMP-in-a-Box Available for Download!

FOR IMMEDIATE RELEASE:
October 13, 2016

‘SWAMP-in-a-Box,’ an on-premises continuous software assurance capability

MADISON — The Software Assurance Marketplace (SWAMP) project has launched a new version of its continuous assurance technologies that will allow the software assurance community to deploy local (private) instances of the SWAMP. This version augments the services provided by the public SWAMP facility that has been in operation for the past three years.

Called “SWAMP-in-a-Box” (SiB), this free, self-contained version can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise. This marks a major step in the SWAMP’s now four-year effort to bring continuous software assurance capabilities to mainstream code developers.

Following a closed-beta testing program with 12 different testers that included commercial and federal entities, the open-beta SiB version is available for download at https://github.com/mirswamp/deployment and is distributed under an Apache open source license.

The SWAMP project was launched in 2012 by the Department of Homeland Security-Science & Technology Directorate to advance the effectiveness of software assurance technologies and to expand their adoption by software developers. The SWAMP’s key characteristics are providing an integrated, one-stop environment for developers to analyze their code with multiple tools and offering a unified assessment results viewer.

The current version of SWAMP-in-a-Box includes 15 open source tools, and in future releases, SiB will support integration with locally licensed commercial tools. These tools cover five languages that can be assessed on five platforms.

“SWAMP-in-a-Box is a significant step toward promoting a culture of continuous assurance throughout the software development community,” says Miron Livny, chief technology officer for the Morgridge Institute for Research and director of the SWAMP project. “It enables organizations that are reluctant to have their code assessed remotely to bring the power of the SWAMP to the keyboards of their developers.”

Commercial and government organizations can integrate the SWAMP-in-a-Box into their local software development environment, including local continuous integration services, using the open SWAMP APIs. “We are currently working on additional integration options for future SWAMP-in-a-Box releases, such as the ability to use the organization’s existing identity and access management capabilities rather than requiring users to create new SWAMP-in-a-Box accounts,” says Jim Basney, SWAMP co-principal investigator and identity management lead from the University of Illinois at Urbana-Champaign.

SiB includes a SWAMP-specific version of the Code Dx software that consolidates software vulnerabilities detected by multiple assessment tools. The Code Dx software is an important part of the ability of the SWAMP to aggregate the strengths of multiple tools into an effective software assurance capability.

Continuous software assurance leads to a significant return on investment, adds Livny, noting that it is much more labor intensive to detect and resolve software weaknesses in the final stages of the software development life cycle than it is to address them throughout the software development and deployment processes.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through an open and shared facility. The SWAMP is funded by the Department of Homeland Security-Science & Technology Directorate. Services include access to 19 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their testing tools, and high throughput computing capacity.

For more information, visit continuousassurance.org.

###

Editorial Contact:
Brian Mattmiller
bmattmiller@morgridge.org
608-316-4332

Press Release

SWAMP is on NewsWatch TV!

NewsWatch TV LogoThe SWAMP was just featured on the NewsWatch TV program. Dr. Lethia Jackson from Bowie State University spoke about the benefits that her computer science students have received from using the SWAMP in the classroom. She said, “The students gain an understanding of what is secure coding, but most importantly, their confidence is what they’ve really gained. They feel more confident in programming, period.” Check out the video and more here. And don’t forget to review your code in the SWAMP at https://www.mir-swamp.org/.

« Older Entries