Support for Infrastructure Operators
Infrastructure operators are tasked with bringing new technologies into their organizations. Increasingly this means incorporating open source software in a networked environment where bugs, defects or vulnerabilities can create a window of opportunity for both unintentional and malicious attacks. Assessing the quality and security in software before deployment, therefore, becomes a critical step in reducing risks. We invite infrastructure operators, security professionals and researchers to use SWAMP as an evaluative tool before deploying new technologies, or in assessing existing software packages.
Since the SWAMP enables mutliple and simultaneous tool selection/assessments, infrastructure operators may find a significant time savings with participation. A large human cost in using software assurance (SwA) tools is the effort required to select, acquire, install, configure, maintain, and run these tools on software the infrastructure operator wishes to deploy. The SWAMP manages most of these tasks and makes it possible for infrastructure operators to view SwA tool results from external entities who have imported software into the SWAMP for assessment. Since the costs of performing SwA in the SWAMP are lower, the return on investment is increased. As new SwA tools and capabilities are added, the infrastructure operator automatically benefits.
Other benefits to using the SWAMP are:
- Help manage risks associated with deployed software. Infrastructure operators can use the SWAMP as a factor in determining the risk in using the software by using the SWAMP’s software assurance (SwA) tool results to determine the software’s security and quality. The SWAMP’s SwA results can also be used to provide metrics to encourage software suppliers to improve the quality and security of their software.
- Leverage community input to improve software quality. Commonly deployed software can be assessed by the software developer or user community. For open source packages maintained as a SWAMP software package, the community can view assessment results and provide feedback that can encourage software providers to improve in the area of quality and security.
- Improve visibility to changes in deployed software. Continuous Software Assurance (CSwA) is the automated, repeated assessment of software by software assurance tools. As new SwA tools are added to the SWAMP, deployed software will be analyzed with improved rigor, identifying potential problems that need to be addressed by the software provider. As new versions of software are released, SWAMP analysis will quickly identify changes in deployed software that will better inform infrastructure operators of key features of interest that may impact their organization.