FOR IMMEDIATE RELEASE:
October 13, 2016
‘SWAMP-in-a-Box,’ an on-premises continuous software assurance capability
MADISON — The Software Assurance Marketplace (SWAMP) project has launched a new version of its continuous assurance technologies that will allow the software assurance community to deploy local (private) instances of the SWAMP. This version augments the services provided by the public SWAMP facility that has been in operation for the past three years.
Called “SWAMP-in-a-Box” (SiB), this free, self-contained version can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise. This marks a major step in the SWAMP’s now four-year effort to bring continuous software assurance capabilities to mainstream code developers.
Following a closed-beta testing program with 12 different testers that included commercial and federal entities, the open-beta SiB version is available for download at https://github.com/mirswamp/deployment and is distributed under an Apache open source license.
The SWAMP project was launched in 2012 by the Department of Homeland Security-Science & Technology Directorate to advance the effectiveness of software assurance technologies and to expand their adoption by software developers. The SWAMP’s key characteristics are providing an integrated, one-stop environment for developers to analyze their code with multiple tools and offering a unified assessment results viewer.
The current version of SWAMP-in-a-Box includes 15 open source tools, and in future releases, SiB will support integration with locally licensed commercial tools. These tools cover five languages that can be assessed on five platforms.
“SWAMP-in-a-Box is a significant step toward promoting a culture of continuous assurance throughout the software development community,” says Miron Livny, chief technology officer for the Morgridge Institute for Research and director of the SWAMP project. “It enables organizations that are reluctant to have their code assessed remotely to bring the power of the SWAMP to the keyboards of their developers.”
Commercial and government organizations can integrate the SWAMP-in-a-Box into their local software development environment, including local continuous integration services, using the open SWAMP APIs. “We are currently working on additional integration options for future SWAMP-in-a-Box releases, such as the ability to use the organization’s existing identity and access management capabilities rather than requiring users to create new SWAMP-in-a-Box accounts,” says Jim Basney, SWAMP co-principal investigator and identity management lead from the University of Illinois at Urbana-Champaign.
SiB includes a SWAMP-specific version of the Code Dx software that consolidates software vulnerabilities detected by multiple assessment tools. The Code Dx software is an important part of the ability of the SWAMP to aggregate the strengths of multiple tools into an effective software assurance capability.
Continuous software assurance leads to a significant return on investment, adds Livny, noting that it is much more labor intensive to detect and resolve software weaknesses in the final stages of the software development life cycle than it is to address them throughout the software development and deployment processes.
ABOUT THE SWAMP
The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through an open and shared facility. The SWAMP is funded by the Department of Homeland Security-Science & Technology Directorate. Services include access to 19 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their testing tools, and high throughput computing capacity.
For more information, visit continuousassurance.org.