Category Archives: Static Analysis Tools

New Updates on MIR-SWAMP.org

The following updates were made to the SWAMP at mir-swamp.org.

  1. We have updated the Acceptable Use Policy (AUP) for the SWAMP. The updated AUP replaces all previous versions.
  2. We’ve replaced version 10.3.3 of Parasoft C/C++test and Jtest with version 10.3.4.
  3. We’ve added version 10.4.0 of Parasoft C/C++test and Jtest.
  4. The Native viewer is now the default results viewer selected on the Assessment Results page.
  5. General enhancements and bug fixes

Please let us know if you have any questions at support@continuousassurance.org.

 

Want to fight cyberthreats? Start with clean code

FOR IMMEDIATE RELEASE:
August 8, 2018

Want to fight cyberthreats? Start with clean code

MADISON, WI – (August 8, 2018) – Barton Miller has a surprise for his University of Wisconsin-Madison class of 250 software programming undergraduates this fall: No code assignment is complete until it’s declared weakness-free by a suite of software analysis tools.

“You’re not going to get extra points,” he says. “It’s just that you can turn in your code only when it comes through clean.”

That may sound stringent, but Miller is confident it won’t be such a chore. His students will be directed to the Software Assurance Marketplace, or SWAMP, a powerful software assurance platform designed to make the detection of potential software weakness as quick and painless as possible.

The SWAMP offers more than 30 open-source and commercial static code analysis tools fully integrated into its automated platform. Leading commercial tool providers in the SWAMP include Synopsys, Parasoft, and GrammaTech, all household names with programmers.

“For the students, using the SWAMP is to feel the freedom that they are not handcuffed to a single tool,” Miller says, likening the SWAMP experience to taking multiple medications to manage a chronic disease. “Each medication may not solve the whole problem, but it may have a strength that other medications don’t have.”

Launched five years ago, the SWAMP is now coming into its own as a free, portable, one-stop source for programmers to tighten up their code — and, in turn, shore up the most frequent target of cyberattacks. The project is funded by the Department of Homeland Security and is led by the Morgridge Institute for Research in close collaboration with partners at UW-Madison, Indiana University, and the University of Illinois.

Miller’s classroom experiment represents an important front for the SWAMP as it aims to advance continuous assurance on software security. Software assurance is for the most part missing from the undergraduate coding curriculum and is often relegated to separate security-based courses. Miller, a UW-Madison computer science professor and chief scientist of the SWAMP, says the goal is to create “turnkey resources” such as video tutorials for computer science instructors to plug it into their courses.

Experience gained this fall from Miller’s course will be used as a blueprint for integrating software assurance into lecture-size coding courses at other institutions. The SWAMP platform was designed to support “scaling-out” in support of wide-scale usage.

Miron Livny, SWAMP director and chief technology officer, says that partnering with the educational community is key because the software security challenge has strong behavioral elements that need to be addressed in the beginning stages of software development teaching. Raising awareness early among future developers, and providing integrated tools like the SWAMP, will help make software assurance a continuous activity in the software life-cycle.

Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research and SWAMP chief information security officer, says the greatest contribution of the SWAMP has been to provide empowerment in what seems like an unwinnable scenario.

“The whole ecosystem of software has just exploded with iPhones and Android phones and software doing a lot for our lives these days,” he says. “It’s easy to be sort of abstractly aware of the security challenge, but we’re giving developers a tool to do something concrete about it.”

The project also yielded an application called “SWAMP-in-a-Box,” which enables developers to deploy the platform locally on their private network to address security and privacy concerns. In 2018 to date, more than 34,000 software assessments have been run in the SWAMP, covering hundreds of millions of lines of code.

Companies and organizations also have been active in the SWAMP. Partners on specialized assurance projects include the Department of Defense, defense contractors, and commercial companies certifying software.

Cyberattacks are only getting worse as software proliferates into every corner of life. Operating systems that once could support a few thousand applications can now support as many as 3 million. Things got remarkably bad in 2017 with 159,700 cyberattacks targeting businesses —nearly doubling the previous year’s total, according to the Online Trust Alliance.

One example from last year serves as a “poster child” for business catastrophe, Miller says. Dutch-based Maersk Shipping, representing almost one-fifth of all the world’s cargo shipping, was hit with the “NotPetya” ransomware virus that wiped out all 45,000 of the company’s computers. The result snarled global shipping traffic and cost the company $300 million in repairs.

“One of the challenges in cybersecurity right now is the attackers get unlimited attempts,” adds Welch. “Cyber attackers have this sort of invulnerability and anonymity and they’re doing it from across the world. When they keep attacking, it’s like the idea of monkeys typing randomness until they eventually produce Shakespeare.”

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

Contact:
Brian Mattmiller
Morgridge Institute for Research
608-316-4332
bmattmiller@morgridge.org

https://morgridge.org/story/want-to-fight-cyberthreats/
https://news.wisc.edu/want-to-fight-cyberthreats-start-with-clean-code/

Comment Period for Static Analysis Results Interchange Format (SARIF) v2.0

Over the past several months, members of the SWAMP team at UW-Madison have been contributing on the OASIS​ SARIF Technical Committee to establish a new standard. The Static Analysis Results Interchange Format (SARIF) version 2.0 is now available for public review and comment until July 24, 2018. Your input is welcome and encouraged! More information about the review process can be found here.

SWAMP updates for mir-swamp.org

The following updates are now available at mir-swamp.org: New

  • The Ubuntu 16.04 platform has been updated to reduce the frequency of assessment failures.
  • Fixes were made to prevent Ruby assessment failures.
  • When using the latest versions of the Safari web browser, you can now create a new package or package version using a GitHub URL.
  • C assessments now support the arm cross compiler.
  • Phone support is no longer available. For SWAMP support, please email support@continuousassurance.org. To report a security incident, please email security@continuousassurance.org. The Contact Us form has been removed from the Contact page.
  • SWAMP-in-a-Box v1.33.1 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at support@continuousassurance.org.

Updates on mir-swamp.org

The following updates are now available at mir-swamp.org! New

  • The Code Dx assessment result viewer has been updated to version 2.8.3. When viewing existing results, Code Dx will prompt to upgrade existing Code Dx data.
  • Sonatype Application Health Check is now available for assessing Java packages. To use the tool, you must request permission and provide information, including your email; this information is sent to Sonatype. When running an Application Health Check assessment, the tool sends a snapshot of your package to Sonatype and provides summary information about components that may include weaknesses or licensing issues. When reviewing results, you will see the summary information and may request detailed information from Sonatype.
  • CentOS 7 (64-bit) and Scientific Linux 7 (64-bit) assessment platforms are available for C/C++.
  • The Parasoft C/C++test and Jtest assessment tools were updated to version 10.3.3.
  • SWAMP users can download the SCARF .xml file from commercial tool assessments, provided the EULA for the tool has been accepted.
  • SWAMP users can add a comma-separated list of paths to files or directories to exclude them from assessments for Python, Ruby, and Web Scripting packages. For Ruby packages, this does not apply to the tools Dawn and Brakeman, which do whole program analysis.
  • The web user interface automatically sets the build system for Web Scripting packages (Composer and NPM) and Python (Build with Setup Tools) packages when it detects a build file.
  • The web user interface was improved to better set the Configure and/or Build Path (relative to the Package Path) when it detects a build or configure file that is not directly in the Package Path.
  • There is a script available on the SWAMP GitHub page that will package an active development directory into an archive suitable for uploading as a SWAMP package. Links to this script are provided on the Details page for uploading a new package and on the SWAMP Resources page.
  • SWAMP-in-a-Box v1.33 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP-in-a-Box Update 1.33

SWAMP-in-a-Box version 1.33 is available! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • SWAMP-in-a-Box administrators can now configure where the SWAMP web application’s backend stores its log entries. After installing or upgrading to SWAMP-in-a-Box version 1.33, the web application’s backend will create daily log files in /var/www/swamp-web-server/storage/logs. The web application’s backend can also be configured to make log entries in the system log, which is where they were made in previous versions of SWAMP-in-a-Box. Refer to the SWAMP-in-a-Box Reference Manual for details.
  • CentOS and Scientific Linux 7 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. Any versions of GrammaTech CodeSonar and Synopsis Static Analysis (Coverity) that were previously installed will not work with these new platforms. Refer to the SWAMP-in-a-Box Administrator Manual for instructions on re-creating the SWAMP tool archives for these tools and adding them to the SWAMP.
  • Updated versions of the CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. If a CentOS or Scientific Linux 6 platform was previously installed, download and install these new versions.
  • Code Dx version 2.8.3, a viewer for analyzing the results from assessments, can now be added to a SWAMP-in-a-Box installation. You must obtain Code Dx separately from Code Dx, Inc.
  • To support SWAMP-in-a-Box installations that do not have internet access, we have updated the tool archive for retire.js version 1.2.10 to include documentation and scripts for creating a version of the tool archive that bundles vulnerability data instead of downloading it from the internet for each assessment.
  • SWAMP-in-a-Box no longer requires that the host be configured with a timezone of UTC, and the SWAMP-in-a-Box installer and upgrader no longer modifies the host’s timezone. All dates and times in the SWAMP web application are displayed in the web browser’s local time. All dates and times in log files are in the host’s local time. All dates and times stored with database records are converted to UTC.
  • SWAMP-in-a-Box now includes a script for checking the health of the installation. Refer to the Troubleshooting section of the SWAMP-in-a-Box Administrator Manual for details.
  • SWAMP users can now add a list of paths to files or directories to exclude from assessments for Python, Ruby, and Web Scripting packages. For Ruby packages, this does not apply to the tools Dawn and Brakeman, which do whole program analysis.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

With SWAMP-in-a-Box, Bring Your Own License and Turbo-Charge Software Assurance

FOR IMMEDIATE RELEASE:
February 28, 2018

With SWAMP-in-a-Box, ‘Bring Your Own License’ and turbo-charge software assurance

MADISON, WI–(GlobeNewswire – February 28, 2018) – In the drive to reduce software security flaws, the Software Assurance Marketplace (SWAMP) project has enhanced its portable platform that brings a comprehensive suite of software assurance tools to the programmer’s desktop.

This open-source SWAMP-in-a-Box (SiB) platform now integrates more than 30 tools, both open source and commercial, into a customizable, easy to deploy capability, significantly reducing the barriers to entry for using such tools.

Using multiple tools to regularly scan software is the cornerstone of continuous assurance – the practice of integrating software assurance into the continuous cycle of modern software development. As a continuous assurance platform, SiB facilitates software assessment with multiple assurance tools. The new “Bring Your Own License” model allows organizations to integrate already-purchased commercial tools into their locally deployed SWAMP-in-a-Box instance.

Organizations need only to acquire a license for the commercial tools supported by SiB or use an existing license that they have acquired. The result is hassle-free continuous assessments with the tools of their choice. “Bring Your Own License” capabilities further the SWAMP’s goal of offering a one-stop continuous assurance resource for developers throughout the software development life cycle.

“We continuously receive requests from organizations who deploy SiB to add support for additional tools,” says Miron Livny, SWAMP director and chief technology officer. “In close collaboration with vendors, we work to integrate new commercial tools while maintaining the tool-neutrality of our platform. Our goal is to make the software assurance process simpler and more effective for all parties involved in the software assurance eco-system.”

While hundreds of software assurance tools are available to the development community, the SWAMP is working to maximize its impact by forging partnerships with industry-leading tool providers. Partnerships have been established with vendors such as Parasoft, Synopsys, GrammaTech, and PRQA. The SWAMP is actively seeking new partnerships with software assurance and security tool providers in both the commercial and open-source sectors.

“The vendors provide the state of the art assurance tools; we make the tools easy to run by making them a natural part of the programmer’s workflow and helping with the best configuration settings for each,” says Bart Miller, University of Wisconsin-Madison computer scientist and chief scientist for the SWAMP. “We not only help save time, but our continuous assurance platform will also help users get the maximum benefit out of their tools by doing all the configuration work up-front.”

Whether it be small businesses or individual developers, SiB gives organizations peace of mind that the tools are properly installed, maintained, and have the latest upgrades.

The SiB continuous assurance platform is freely available. It can be easily deployed, configured on local hardware, and placed behind a firewall. This allows all assessments to be run locally or with no outside connections, increasing privacy and security for organizations with sensitive and proprietary materials.

To learn more about integrating licensed software tools with SWAMP-in-a-Box, join a free webinar on Thursday, March 8 hosted by Parasoft. This webinar will provide a case-study overview of the SWAMP’s partnership with Parasoft.

Vendors interested in partnering with the SWAMP project may contact Project Manager Irene Landrum at 608-316-4114 or ilandrum@morgridge.org. Developers interested in learning more about SiB can visit: https://continuousassurance.org/swamp-in-a-box/.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

Contact:
Irene Landrum
Morgridge Institute for Research
608-316-4114
ilandrum@morgridge.org

 

Press Release

Updates on mir-swamp.org

You can now find the following updates on mir-swamp.org! New

  • Parasoft C/C++test and Jtest version 10.3.2 (tools for assessing C/C++ and Java Source/Android Java Source packages, respectively) are now available in the SWAMP. You must request and receive permission to use these tools and agree to the EULA.
  • OWASP Dependency Check version 2.1.1 is now available for assessing Java Source Code, Java Bytecode, and Android Java Source Code packages.
  • Spotbugs version 3.1.0 is now available for assessing Java Source Code, Java Bytecode, and Android Java Source Code packages. This tool is a fork of Findbugs. When you choose to run assessments for a Java package using “All” tools, a Spotbugs assessment will be generated but a Findbugs assessment will not. You can still specifically select Findbugs to generate a Findbugs assessment.
  • SWAMP now provides support for C/C++ packages that build using autotools to generate their configure files. “Autotools+Configure+Make” is now available as a Build System for C/C++ packages.
  • We’ve made improvements to the Native result viewer. Specifically, results are now spread across multiple pages. Controls are available to set the number of weaknesses shown on a page and navigate from page to page.
  • The buttons on the navigation bar are now links. Right click to open them in a new browser window or tab.
  • The ThreadFix result viewer has been deprecated.
  • CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available.
  • We’ve added links to SWAMP-related white-papers on the Resources page.
  • SWAMP-in-a-Box v1.32 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP-in-a-Box Update 1.32

SWAMP-in-a-Box version 1.32 is now available for download! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • Parasoft C/C++test and Jtest version 10.3 (tools for assessing C/C++ and Java Source packages, respectively) can now be added to a SWAMP-in-a-Box installation. You must license Parasoft C/C++test and/or Jtest and obtain either the 32-bit or 64-bit tool archive files separately from Parasoft.
  • OWASP Dependency Check version 2.1.1, a tool for assessing Java Source and Java Bytecode packages, can now be added to a SWAMP-in-a-Box installation. The tool can be configured to get National Vulnerability Database information from a server that you set up to retrieve updates on a periodic basis, or, in cases where SWAMP-in-a-Box runs without internet access, a version of the tool with static National Vulnerability Database information can be created and installed. Versions of OWASP Dependency Check bundled with previous installations of SWAMP-in-a-Box will be removed when you upgrade.
  • Spotbugs version 3.1.0 is now available for assessing Java Source Code and Java Bytecode packages. This tool is a fork of Findbugs. When you choose to run assessments for a Java package using “All” tools, a Spotbugs assessment will be generated but a Findbugs assessment will not. You can still specifically select Findbugs to generate a Findbugs assessment.
  • SWAMP now provides support for C/C++ packages that build using autotools to generate their configure files. “Autotools+Configure+Make” is now available as a Build System for C/C++ packages.
  • Assessment Completion Notification emails can now be sent from SWAMP-in-a-Box installations configured to enable outgoing SWAMP emails.
  • We’ve made improvements to the Native result viewer. Specifically, results are now spread across multiple pages. Controls are available to set the number of weaknesses shown on a page and navigate from page to page.
  • CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available. If a CentOS or Scientific Linux 6.7 platform was previously installed as an add on, we recommend you download and install these new versions.
  • SWAMP administrators can now stop Condor jobs from the Review Status page. Assessment and Metric runs are not completed and assigned a status of Terminated. Viewer runs are stopped without saving the viewer database, so any changes made in the current viewer session are lost.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

« Older Entries Recent Entries »