Category Archives: SWAMP-in-a-Box

SWAMP & Secure Development for the Cloud

MISTI logoIn today’s MISTI blog post, “Secure Development for the Cloud,” author Randall Brooks mentions SWAMP and SWAMP-in-a-Box as great resources for organizations with limited funds who are looking for secure coding solutions. Incorporating many free and open-source analysis tools, the Software Assurance Marketplace offers both cloud-based and on-premises solutions for continuous software assurance. Read the full article.

Brooks will also be presenting at the upcoming 2017 InfoSec World Conference in Orlando. Session B4 “Secure Development for the Cloud” will include a bit about the SWAMP. Catch the presentation on Monday, April 3 at 2:15pm-3:05pm.

SWAMP-in-a-Box Update 1.29

SWAMP-in-a-Box version 1.29 is now available for download! The latest files are on GitHub, or you can download the install files here. Noteworthy changes include:New

  • Added support for 5 new programming languages: CSS, HTML, JavaScript, PHP, and XML.
  • Addition of 9 assessment tools for web scripting languages: CSS Lint (for CSS), ESLint (for JavaScript), Flow (for JavaScript), HTML Tidy (for HTML and XML), JSHint (for JavaScript or HTML files with inline JavaScript), PHPMD (for PHP), PHP_CodeSniffer (for PHP, JavaScript, and CSS), Retire.js (for JavaScript), and XML Lint (for XML).
  • Added new versions and/or updates for the following assessment tools: Bandit, Flake8, Pylint, checkstyle, OWASP Dependency Check, error-prone, FindBugs, and PMD.
  • When adding a new package or adding a new version to an existing package, users have the option to select an archive file from the local file system or enter an external URL and a checkout argument (branch, tag, or commit) for a remote Git repository.
  • Improved error reporting for assessment failures. Successful assessment runs are no longer erroneously reported as having finished with errors. Assessments that complete with a status of “finished with errors – retry” can be re-run and should complete successfully.
  • Updated the “Status.out and Debugging SWAMP Failures” document to assist with debugging failed assessments. Failed assessments now show the contents of the status.out file at the top of the Failed Assessment Report (by clicking the “! Error” button in the Results column).
  • The names of the statuses shown on the Results page have been updated to better indicate what is happening as assessment jobs are processed.
  • Minimum hardware requirements have increased to 4 CPU cores and 16 GB of RAM.

Let us know if you have any questions at

SWAMP-in-a-Box Update 1.28.2

Greetings, SWAMP-in-a-Box community.

SWAMP-in-a-Box build is a security release addressing a privilege escalation vulnerability found in a pentest by Black Hills Infosec. We’d like to thank them for their thorough and professional work on behalf of the SWAMP project.

The vulnerability allows authenticated SWAMP users to obtain unauthorized administrative rights. At this time, we do not believe the vulnerability is known outside of the SWAMP team or being actively exploited, but we recommend SWAMP-in-a-Box deployers upgrade to this latest version as soon as possible. If you are unable to upgrade, you should disable any untrusted users as a temporary mitigation.

Additionally, we have updated the SWAMP-in-a-Box install/upgrade script to be tied to HTCondor version 8.4.11. Please contact us if you are currently running HTCondor version 8.6.0.

Packages for new installs can be found at (GitHub) and (SWAMP read-only server).

Instructions for upgrading can be found in

SWAMP-in-a-Box Update 1.28.1

SWAMP-in-a-Box has been updated to version 1.28.1! The latest files are available on GitHub, or you can download the install files here. New

  • All platforms have been updated and will work without internet access as long as your package doesn’t require internet access to build.
  • All assessments will default to use the Ubuntu Linux version 16.04.
  • New installs of SWAMP-in-a-Box only come with 1 platform, allowing you to pick and choose additional platforms from our read-only server.
  • Ability to download assessment results in XML format for assessments that have finished successfully with at least one weakness reported.
  • Addition of the “Status.out and Debugging SWAMP Failures” document to assist with debugging failed assessment runs.
  • Addition of the OWASP Dependency Check assessment tool to assess Java Source and Java Bytecode packages.
  • Updates to the following assessment tools: Bandit, Clang Static Analyzer, and cppcheck.

Let us know if you have any questions at

SWAMP-in-a-Box Available for Download!

October 13, 2016

‘SWAMP-in-a-Box,’ an on-premises continuous software assurance capability

MADISON — The Software Assurance Marketplace (SWAMP) project has launched a new version of its continuous assurance technologies that will allow the software assurance community to deploy local (private) instances of the SWAMP. This version augments the services provided by the public SWAMP facility that has been in operation for the past three years.

Called “SWAMP-in-a-Box” (SiB), this free, self-contained version can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise. This marks a major step in the SWAMP’s now four-year effort to bring continuous software assurance capabilities to mainstream code developers.

Following a closed-beta testing program with 12 different testers that included commercial and federal entities, the open-beta SiB version is available for download at and is distributed under an Apache open source license.

The SWAMP project was launched in 2012 by the Department of Homeland Security-Science & Technology Directorate to advance the effectiveness of software assurance technologies and to expand their adoption by software developers. The SWAMP’s key characteristics are providing an integrated, one-stop environment for developers to analyze their code with multiple tools and offering a unified assessment results viewer.

The current version of SWAMP-in-a-Box includes 15 open source tools, and in future releases, SiB will support integration with locally licensed commercial tools. These tools cover five languages that can be assessed on five platforms.

“SWAMP-in-a-Box is a significant step toward promoting a culture of continuous assurance throughout the software development community,” says Miron Livny, chief technology officer for the Morgridge Institute for Research and director of the SWAMP project. “It enables organizations that are reluctant to have their code assessed remotely to bring the power of the SWAMP to the keyboards of their developers.”

Commercial and government organizations can integrate the SWAMP-in-a-Box into their local software development environment, including local continuous integration services, using the open SWAMP APIs. “We are currently working on additional integration options for future SWAMP-in-a-Box releases, such as the ability to use the organization’s existing identity and access management capabilities rather than requiring users to create new SWAMP-in-a-Box accounts,” says Jim Basney, SWAMP co-principal investigator and identity management lead from the University of Illinois at Urbana-Champaign.

SiB includes a SWAMP-specific version of the Code Dx software that consolidates software vulnerabilities detected by multiple assessment tools. The Code Dx software is an important part of the ability of the SWAMP to aggregate the strengths of multiple tools into an effective software assurance capability.

Continuous software assurance leads to a significant return on investment, adds Livny, noting that it is much more labor intensive to detect and resolve software weaknesses in the final stages of the software development life cycle than it is to address them throughout the software development and deployment processes.


The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through an open and shared facility. The SWAMP is funded by the Department of Homeland Security-Science & Technology Directorate. Services include access to 19 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their testing tools, and high throughput computing capacity.

For more information, visit


Editorial Contact:
Brian Mattmiller

Press Release