Category Archives: SWAMP-in-a-Box

SWAMP-in-a-Box Update 1.33

SWAMP-in-a-Box version 1.33 is available! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • SWAMP-in-a-Box administrators can now configure where the SWAMP web application’s backend stores its log entries. After installing or upgrading to SWAMP-in-a-Box version 1.33, the web application’s backend will create daily log files in /var/www/swamp-web-server/storage/logs. The web application’s backend can also be configured to make log entries in the system log, which is where they were made in previous versions of SWAMP-in-a-Box. Refer to the SWAMP-in-a-Box Reference Manual for details.
  • CentOS and Scientific Linux 7 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. Any versions of GrammaTech CodeSonar and Synopsis Static Analysis (Coverity) that were previously installed will not work with these new platforms. Refer to the SWAMP-in-a-Box Administrator Manual for instructions on re-creating the SWAMP tool archives for these tools and adding them to the SWAMP.
  • Updated versions of the CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. If a CentOS or Scientific Linux 6 platform was previously installed, download and install these new versions.
  • Code Dx version 2.8.3, a viewer for analyzing the results from assessments, can now be added to a SWAMP-in-a-Box installation. You must obtain Code Dx separately from Code Dx, Inc.
  • To support SWAMP-in-a-Box installations that do not have internet access, we have updated the tool archive for retire.js version 1.2.10 to include documentation and scripts for creating a version of the tool archive that bundles vulnerability data instead of downloading it from the internet for each assessment.
  • SWAMP-in-a-Box no longer requires that the host be configured with a timezone of UTC, and the SWAMP-in-a-Box installer and upgrader no longer modifies the host’s timezone. All dates and times in the SWAMP web application are displayed in the web browser’s local time. All dates and times in log files are in the host’s local time. All dates and times stored with database records are converted to UTC.
  • SWAMP-in-a-Box now includes a script for checking the health of the installation. Refer to the Troubleshooting section of the SWAMP-in-a-Box Administrator Manual for details.
  • SWAMP users can now add a list of paths to files or directories to exclude from assessments for Python, Ruby, and Web Scripting packages. For Ruby packages, this does not apply to the tools Dawn and Brakeman, which do whole program analysis.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

With SWAMP-in-a-Box, Bring Your Own License and Turbo-Charge Software Assurance

FOR IMMEDIATE RELEASE:
February 28, 2018

With SWAMP-in-a-Box, ‘Bring Your Own License’ and turbo-charge software assurance

MADISON, WI–(GlobeNewswire – February 28, 2018) – In the drive to reduce software security flaws, the Software Assurance Marketplace (SWAMP) project has enhanced its portable platform that brings a comprehensive suite of software assurance tools to the programmer’s desktop.

This open-source SWAMP-in-a-Box (SiB) platform now integrates more than 30 tools, both open source and commercial, into a customizable, easy to deploy capability, significantly reducing the barriers to entry for using such tools.

Using multiple tools to regularly scan software is the cornerstone of continuous assurance – the practice of integrating software assurance into the continuous cycle of modern software development. As a continuous assurance platform, SiB facilitates software assessment with multiple assurance tools. The new “Bring Your Own License” model allows organizations to integrate already-purchased commercial tools into their locally deployed SWAMP-in-a-Box instance.

Organizations need only to acquire a license for the commercial tools supported by SiB or use an existing license that they have acquired. The result is hassle-free continuous assessments with the tools of their choice. “Bring Your Own License” capabilities further the SWAMP’s goal of offering a one-stop continuous assurance resource for developers throughout the software development life cycle.

“We continuously receive requests from organizations who deploy SiB to add support for additional tools,” says Miron Livny, SWAMP director and chief technology officer. “In close collaboration with vendors, we work to integrate new commercial tools while maintaining the tool-neutrality of our platform. Our goal is to make the software assurance process simpler and more effective for all parties involved in the software assurance eco-system.”

While hundreds of software assurance tools are available to the development community, the SWAMP is working to maximize its impact by forging partnerships with industry-leading tool providers. Partnerships have been established with vendors such as Parasoft, Synopsys, GrammaTech, and PRQA. The SWAMP is actively seeking new partnerships with software assurance and security tool providers in both the commercial and open-source sectors.

“The vendors provide the state of the art assurance tools; we make the tools easy to run by making them a natural part of the programmer’s workflow and helping with the best configuration settings for each,” says Bart Miller, University of Wisconsin-Madison computer scientist and chief scientist for the SWAMP. “We not only help save time, but our continuous assurance platform will also help users get the maximum benefit out of their tools by doing all the configuration work up-front.”

Whether it be small businesses or individual developers, SiB gives organizations peace of mind that the tools are properly installed, maintained, and have the latest upgrades.

The SiB continuous assurance platform is freely available. It can be easily deployed, configured on local hardware, and placed behind a firewall. This allows all assessments to be run locally or with no outside connections, increasing privacy and security for organizations with sensitive and proprietary materials.

To learn more about integrating licensed software tools with SWAMP-in-a-Box, join a free webinar on Thursday, March 8 hosted by Parasoft. This webinar will provide a case-study overview of the SWAMP’s partnership with Parasoft. Register for the webinar at: https://parasoft.zoom.us/webinar/register/WN_byJNglDGTz6nPIv2x_eM2g.

Vendors interested in partnering with the SWAMP project may contact Project Manager Irene Landrum at 608-316-4114 or ilandrum@morgridge.org. Developers interested in learning more about SiB can visit: https://continuousassurance.org/swamp-in-a-box/.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

Contact:
Irene Landrum
Morgridge Institute for Research
608-316-4114
ilandrum@morgridge.org

 

Press Release

SWAMP-in-a-Box Update 1.32

SWAMP-in-a-Box version 1.32 is now available for download! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • Parasoft C/C++test and Jtest version 10.3 (tools for assessing C/C++ and Java Source packages, respectively) can now be added to a SWAMP-in-a-Box installation. You must license Parasoft C/C++test and/or Jtest and obtain either the 32-bit or 64-bit tool archive files separately from Parasoft.
  • OWASP Dependency Check version 2.1.1, a tool for assessing Java Source and Java Bytecode packages, can now be added to a SWAMP-in-a-Box installation. The tool can be configured to get National Vulnerability Database information from a server that you set up to retrieve updates on a periodic basis, or, in cases where SWAMP-in-a-Box runs without internet access, a version of the tool with static National Vulnerability Database information can be created and installed. Versions of OWASP Dependency Check bundled with previous installations of SWAMP-in-a-Box will be removed when you upgrade.
  • Spotbugs version 3.1.0 is now available for assessing Java Source Code and Java Bytecode packages. This tool is a fork of Findbugs. When you choose to run assessments for a Java package using “All” tools, a Spotbugs assessment will be generated but a Findbugs assessment will not. You can still specifically select Findbugs to generate a Findbugs assessment.
  • SWAMP now provides support for C/C++ packages that build using autotools to generate their configure files. “Autotools+Configure+Make” is now available as a Build System for C/C++ packages.
  • Assessment Completion Notification emails can now be sent from SWAMP-in-a-Box installations configured to enable outgoing SWAMP emails.
  • We’ve made improvements to the Native result viewer. Specifically, results are now spread across multiple pages. Controls are available to set the number of weaknesses shown on a page and navigate from page to page.
  • CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available. If a CentOS or Scientific Linux 6.7 platform was previously installed as an add on, we recommend you download and install these new versions.
  • SWAMP administrators can now stop Condor jobs from the Review Status page. Assessment and Metric runs are not completed and assigned a status of Terminated. Viewer runs are stopped without saving the viewer database, so any changes made in the current viewer session are lost.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

SWAMP and Synopsys join forces to educate the future cybersecurity workforce

FOR IMMEDIATE RELEASE:
December 21, 2017

Madison-based SWAMP and Synopsys join forces to educate the future cybersecurity workforce

MADISON, WI–(GlobeNewswire – December 21, 2017) –

The Software Assurance Marketplace (SWAMP) has partnered with Synopsys, an industry leader in software security and quality, to expand its suite of assurance tools in support of the academic community.

In support of educators training the next generation of software developers on secure coding practices, the SWAMP’s continuous assurance platform has added Synopsys Static Analysis (Coverity), a widely used static analysis tool produced by Synopsys, that scans C and C++, the programming languages used by more than one in five programmers worldwide. Synopsys Static Analysis (Coverity), which was recently named a Leader in The Forrester Wave: Static Application Security Testing, marks the fourth industry tool incorporated into the SWAMP’s open and accessible assurance facility. As a result of this partnership, educators can integrate Coverity into their curricula through the SWAMP at no cost.

“Synopsys Static Analysis (Coverity) is a widely respected tool in the software assurance community and is a valuable addition to the SWAMP,” says Barton Miller, University of Wisconsin-Madison professor of computer science and chief scientist of the SWAMP.

“We see a critical need to increase the workforce trained in the best practices of software security,” adds Miller. “Our partnership with Synopsys significantly furthers our efforts to reach educators and provide more trained practitioners.”

“Joining forces with Synopsys in including award-winning software assurance capabilities in our marketplace is an important step in the implementation of our vision,” says Miron Livny, SWAMP director and chief technology officer for the Morgridge Institute for Research. “Our goal at SWAMP is to establish an assurance ecosystem by incorporating a rich suite of tools, and in adding Synopsys Static Analysis (Coverity), we make a significant step in achieving this goal in support of education and cybersecurity workforce development.”

The SWAMP has a unique focus on workforce development and is partnering with universities to integrate software assurance into the curriculum. Miller says the Synopsys Static Analysis (Coverity) launch will be especially valuable to the academic community since the C and C++ languages are commonly used in educational settings. Students who are learning to code and refine their programming skills will have an additional tool to evaluate their software for errors, expanding their resources for developing dependable and secure code.

Few aspects of everyday life are not touched by software, from commerce to energy to healthcare sectors. Weaknesses in software code are the most common targets of security breaches. The SWAMP’s goal is to help eliminate those weaknesses before they are deployed and become exploited vulnerabilities by integrating effective software assessment techniques into the developer’s work cycle.

Its most important benefit to developers and educators has been providing an integrated, one-stop environment for programmers to analyze their code across a wide range of commercial and open-source tools — and providing the combined feedback in a single results viewer.

For more information about capabilities offered by the SWAMP, visit www.mir-swamp.org.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance technologies and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools.

###

Contact:
Brian Mattmiller
Morgridge Institute for Research
608-316-4332
bmattmiller@morgridge.org

 

Press Release

SWAMP-in-a-Box Update 1.31

SWAMP-in-a-Box version 1.31.151 is now available for download! The latest files are on GitHub, or you can download the install files here.

Noteworthy changes include:New

  • Synopsys Static Analysis (Coverity), a tool for assessing C/C++ packages, can now be added to a SWAMP-in-a-Box installation. You must license Synopsys Static Analysis and obtain either the 32-bit or 64-bit tool archive files separately from Synopsys, Inc.
  • Documentation for SWAMP-in-a-Box has been reorganized into an Administrator Manual and a Reference Manual. Each comes as a PDF and HTML document, which can be found in `/opt/swamp/doc` on the SWAMP-in-a-Box host.
  • New versions of the CentOS and Scientific Linux 6.7 (32-bit and 64-bit) assessment platforms are available. If any of these platforms were previously installed as an add-on, we recommend you download and install the updated versions.
  • The CentOS and Scientific Linux 5.11 (32-bit and 64-bit) assessment platforms are no longer supported. If any of these platforms were previously installed as an add-on, they will be removed as part of the upgrade to SWAMP-in-a-Box 1.31.
  • Added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, Findbugs, PMD, and XML Lint.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

SWAMP Plug-Ins for Eclipse, Git/SVN, Jenkins

Make sure you are taking advantage of everything the SWAMP has to offer! The SWAMP has created a variety of plug-ins to integrate into the software development lifecycle and to support continuous integration. The SWAMP’s plug-ins are open-source and can connect to the SWAMP site or to your own SWAMP-in-a-Box. Find them here: https://continuousassurance.org/plug-ins/.

  • Eclipse: The Eclipse plug-in allows Java and C/C++ Eclipse users to perform static code assessments in the SWAMP and view the results within the Eclipse Integrated Development Environment (IDE).
  • Git and Subversion: This script is a Git and Subversion hook. Any commit or push of a new version will upload that version of code in the SWAMP. Results are viewable from the SWAMP website.
  • Jenkins: The Jenkins plug-in allows projects using Jenkins to perform static code assessments in the SWAMP as part of a build. Results and trend data can be viewed on the SWAMP website or directly in Jenkins.
« Older Entries