Category Archives: Uncategorized

SWAMP UPDATE 1.34.6

New icon

The following updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.6 files can be obtained from the download server or from GitHub.

Noteworthy changes include:

  • We made significant updates to 3rd party sign-up and sign-in have been made. These allow Google sign-in to work after the Google+API was deprecated.
  • Python 3 is now the default language version for Python packages
  • Improvements for archiving downloaded packages from external URLs
  • A new version of Flow (version 0.112.0) is available for assessing web scripting packages that contain JavaScript. This version replaces all other versions.
  • A new version of Retire.js (version 2.0.3) is available for assessing web scripting packages that contain JavaScript. This version replaces all previous versions.
  • The SWAMP web API now returns more specific response codes for successful responses (response codes in the 200-299 range). Newer versions of the SWAMP plugins support the expanded response codes. New versions of the plugins can be found on our GitHub organization’s page.
  • We have updated assessment platform images and dependencies on those platforms.
  • We have discontinued support for Fedora 18, 19, and 20 assessment platforms
  • We have updated backend frameworks to include upgrading to Laravel 7.2
  • General enhancements and bug fixes

Changes specific to SWAMP-in-a-Box include:

  • A new version of Retire.js (version 2.0.3) is available for assessing web scripting packages that contain JavaScript. This version replaces all previous versions. Retire.js requires an internet connection to download the latest information about potential weaknesses. If you have configured a SWAMP-in-a-Box to run without an internet connection you will need to create a new, custom version of Retire.js v2.0.3 to run without internet access. Please refer to the SWAMP-in-a-Box Administrator Manual section 4.3
  • We have updated assessment platform images and dependencies on those platforms. For SWAMP-in-a-Box installations, the Ubuntu 16.04 new platform will be deployed with an upgrade to v1.34.6. For other new platforms you can download the new images and add them to your SWAMP-in-a-Box instance. Please refer to the SWAMP-in-a-Box Administrator Manual for instructions.
  • A new Android Ubuntu 12.04 platform is available for download. This image includes the Android SDK from late 2019. This image is requires significant storage due to the Android SDK. Please refer to the SWAMP-in-a-Box Administrator Manual prior to downloading. The compressed image is approximately 76 GB and the uncompressed image is approximately 150 GB. You can download the Android Ubuntu platform from our download server.
  • We have discontinued support for Fedora 18, 19, and 20 assessment platforms. If you have any of these platforms installed as add-ons, they will be removed when you upgrade to v1.34.6

Upcoming SWAMP Events

The next few months are going to be busy for the SWAMP team. Check out what we’re going to be up to, and meet up with us if you can!

More information about these and other events will be shared on the SWAMP’s home page and social media, so check back often!

Parasoft Tools Supported in SWAMP-in-a-Box

Version 10.3 of Parasoft‘s C/C++test and Jtest tools are now supported as tool add-ons in SWAMP-in-a-Box (SiB), providing SWAMP users with secure, local access to Parasoft’s mature static analysis security solution inside their own network. With Parasoft support, SWAMP-in-a-Box now provides expanded access to preconfigured static analysis rulesets, including CWE Top 25, CERT, MISRA, and UL-2900.

“This is an important next step in our partnership with Parasoft to advance the adoption of Continuous Assurance,” says Miron Livny, SWAMP Director and Chief Technology Officer. “Organizations that deploy their customized instances of SWAMP-in-a-Box will benefit from easy and managed access to the evolving capabilities offered by Parasoft’s software testing solutions.”

“We’re very excited to be supporting SWAMP-in-a-Box. Parasoft was the first commercial static analysis tool available in the SWAMP, and it’s great to see the SiB feature give greater access to SWAMP capabilities by allowing users to keep analysis and code on premises,” said Arthur Hicken, Evangelist at Parasoft.

To learn more about Parasoft and SiB, join the upcoming webinar on March 8, 2018 at 1pm Eastern (12pm Central), or contact Parasoft at swamp@parasoft.com.

Read the full article

Outcomes from Software Security Discussions in “Dark Reading”

Information Week Dark Reading LogoThe SWAMP, along with several other companies and universities, participated in a recent exploratory working group focused on shaping the future of software security. The goal was to “create a very succinct and concrete plan of real-world actions that are executable today for a more resilient software world.” Four working group sessions, led by industry experts, discussed gaps in assurance tool technologies, labeling software with assurance levels to improve the software supply chain, creating a more orthogonal encyclopedia of software weaknesses than CWEs, and mobility app security threats. Read the full article on Dark Reading for the detailed talking points and takeaways.