SWAMP Chief Scientist and PI, Bart Miller, along with his colleague, Elisa Heymann, from the University of Wisconsin-Madison’s Computer Sciences department created an educational guide to using the SWAMP: https://vimeo.com/255608773. Be sure to check out their video and links to all of the other SWAMP recordings, webinars, etc. on our website: https://continuousassurance.org/about-us/video-tutorials/.
Category Archives: Software Assurance
The SWAMP will be presenting and demonstrating at Software Assurance Conference 2018! SwACon is a software assurance (SwA) conference dedicated to advancing the state of the art in software assurance disciplines. The theme of this year’s event is open source tools and techniques that are available for SwA activities. The event is hosted by the Software Engineering Institute (SEI) in collaboration with the DoD Joint Federated Assurance Center (JFAC).
SwACon 2018 will be held on Tuesday, November 27 at the NRECA Conference Center (4301 Wilson Blvd. Arlington, VA – 1st floor). There will be presentations all day, roughly from 9am to 5pm Eastern, and you may attend only selected presentations, if needed. The event is free of charge but does require advance registration. Remote participation will also be available. To register, email email@example.com for details before November 18.
November 27th, 2018
NRECA Conference Center (1st floor)
8:45AM to 9:30AM Check-in and Registration; Light breakfast items to be served 9:30AM to 10:45AM Getting Started with ROSE Compiler Infrastructure – Dan Quinlan
ROSE is an open source compiler infrastructure to build source-to-source program transformation and analysis tools for large-scale C (C89 and C98), C++ (C++98 and C++11), UPC, Fortran (77/95/2003), OpenMP, Java, Python, and PHP applications. ROSE is developed at Lawrence Livermore National Laboratory (LLNL). Presented by Dr. Dan Quinlan, LLNL.
10:45AM to 11:00AM Morning beverage break 11:00AM to 12:00PM Introduction to Binary Analysis with Pharos – Cory Cohen
The SEI’s Pharos project is an open-source static binary analysis framework that is primarily targeted at malware analysis but can also be used for software assurance tasks. Presented by Cory Cohen, SEI.
12:00PM to 1:00PM Lunch break – participants on their own for lunch 1:00PM to 2:30PM Introduction to Software Assurance Marketplace (SWAMP) - Von Welch & Brian Aydemir
Join us to learn about the Software Assurance Marketplace (SWAMP) – a Continuous Software Assurance Platform. During this presentation, we will introduce the SWAMP project and team, describe SWAMP’s capabilities, present a live demo, and explain how you can start using the SWAMP. Presented by Von Welch, Director of Indiana University – Center for Applied Cybersecurity Research (CACR) & Brian Aydemir, Systems Integration Developer, Morgridge Institute for Research/SWAMP.
2:30PM to 2:45PM Afternoon break; Light snacks to be served 2:45PM to 3:45PM Securing Software with Trail of Bits – Peter Goodman & Trent Brunson 3:45PM to 3:55PM Short transition break 3:55PM to 4:55PM Introduction to Source Code Analysis Laboratory (SCALe) - Lori Flynn
Noteworthy changes include:
- An updated version of the Ubuntu Linux version 16.04 platform is now available and will be automatically installed with SWAMP-in-a-Box 1.33.4.
- SWAMP-in-a-Box now automatically re-tries (up to three additional times) assessments that finish with an error related to networking. This includes assessments for which a VM does not have network connectivity or for which OS dependencies cannot be installed. In many cases, these assessments succeed on the first retry.
- SWAMP-in-a-Box administrators can now configure which viewer is initially selected on the Assessment Results page. When SWAMP-in-a-Box 1.33.4 is installed, this configuration is set to use the Native Viewer. Note that this is only applicable if a third-party viewer has been added to SWAMP-in-a-Box.
- Parasoft C/C++test versions 10.3.4 and 10.4.0 can now be added to a SWAMP-in-a-Box installation. You must license Parasoft C/C++test and obtain either the 32-bit or 64-bit tool archive files separately from Parasoft.
- Parasoft Jtest versions 10.3.4 and 10.4.0 can now be added to a SWAMP-in-a-Box installation. You must license Parasoft Jtest and obtain the 64-bit tool archive files separately from Parasoft.
- General enhancements and bug fixes.
Let us know if you have any questions at firstname.lastname@example.org.
Updates are now available for the following SWAMP plug-ins:
FOR IMMEDIATE RELEASE:
August 8, 2018
Want to fight cyberthreats? Start with clean code
MADISON, WI – (August 8, 2018) – Barton Miller has a surprise for his University of Wisconsin-Madison class of 250 software programming undergraduates this fall: No code assignment is complete until it’s declared weakness-free by a suite of software analysis tools.
“You’re not going to get extra points,” he says. “It’s just that you can turn in your code only when it comes through clean.”
That may sound stringent, but Miller is confident it won’t be such a chore. His students will be directed to the Software Assurance Marketplace, or SWAMP, a powerful software assurance platform designed to make the detection of potential software weakness as quick and painless as possible.
The SWAMP offers more than 30 open-source and commercial static code analysis tools fully integrated into its automated platform. Leading commercial tool providers in the SWAMP include Synopsys, Parasoft, and GrammaTech, all household names with programmers.
“For the students, using the SWAMP is to feel the freedom that they are not handcuffed to a single tool,” Miller says, likening the SWAMP experience to taking multiple medications to manage a chronic disease. “Each medication may not solve the whole problem, but it may have a strength that other medications don’t have.”
Launched five years ago, the SWAMP is now coming into its own as a free, portable, one-stop source for programmers to tighten up their code — and, in turn, shore up the most frequent target of cyberattacks. The project is funded by the Department of Homeland Security and is led by the Morgridge Institute for Research in close collaboration with partners at UW-Madison, Indiana University, and the University of Illinois.
Miller’s classroom experiment represents an important front for the SWAMP as it aims to advance continuous assurance on software security. Software assurance is for the most part missing from the undergraduate coding curriculum and is often relegated to separate security-based courses. Miller, a UW-Madison computer science professor and chief scientist of the SWAMP, says the goal is to create “turnkey resources” such as video tutorials for computer science instructors to plug it into their courses.
Experience gained this fall from Miller’s course will be used as a blueprint for integrating software assurance into lecture-size coding courses at other institutions. The SWAMP platform was designed to support “scaling-out” in support of wide-scale usage.
Miron Livny, SWAMP director and chief technology officer, says that partnering with the educational community is key because the software security challenge has strong behavioral elements that need to be addressed in the beginning stages of software development teaching. Raising awareness early among future developers, and providing integrated tools like the SWAMP, will help make software assurance a continuous activity in the software life-cycle.
Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research and SWAMP chief information security officer, says the greatest contribution of the SWAMP has been to provide empowerment in what seems like an unwinnable scenario.
“The whole ecosystem of software has just exploded with iPhones and Android phones and software doing a lot for our lives these days,” he says. “It’s easy to be sort of abstractly aware of the security challenge, but we’re giving developers a tool to do something concrete about it.”
The project also yielded an application called “SWAMP-in-a-Box,” which enables developers to deploy the platform locally on their private network to address security and privacy concerns. In 2018 to date, more than 34,000 software assessments have been run in the SWAMP, covering hundreds of millions of lines of code.
Companies and organizations also have been active in the SWAMP. Partners on specialized assurance projects include the Department of Defense, defense contractors, and commercial companies certifying software.
Cyberattacks are only getting worse as software proliferates into every corner of life. Operating systems that once could support a few thousand applications can now support as many as 3 million. Things got remarkably bad in 2017 with 159,700 cyberattacks targeting businesses —nearly doubling the previous year’s total, according to the Online Trust Alliance.
One example from last year serves as a “poster child” for business catastrophe, Miller says. Dutch-based Maersk Shipping, representing almost one-fifth of all the world’s cargo shipping, was hit with the “NotPetya” ransomware virus that wiped out all 45,000 of the company’s computers. The result snarled global shipping traffic and cost the company $300 million in repairs.
“One of the challenges in cybersecurity right now is the attackers get unlimited attempts,” adds Welch. “Cyber attackers have this sort of invulnerability and anonymity and they’re doing it from across the world. When they keep attacking, it’s like the idea of monkeys typing randomness until they eventually produce Shakespeare.”
ABOUT THE SWAMP
The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.
Morgridge Institute for Research
The SWAMP team will be joining the DHS Science and Technology booth #1336 in the business hall on Wednesday, August 8 and Thursday, August 9. We will be demoing SWAMP software, providing information about our project, and answering your questions. You are invited to stop by the DHS S&T booth for a 10-minute presentation at the following times:
- Wednesday, August 8 – 12:15-12:30pm & 5:15-5:30pm
- Thursday, August 9 – 12:15-12:30pm
Updates are now available for the following pieces of SWAMP open-source software!
- Java-CLI version 1.5.3
- SWAMP-Jenkins-Plugin version 1.2.2
- SWAMP-Eclipse-Plugin version 1.1.3