Application Security Testing

The SWAMP offers a no-cost, cloud-based, high throughput computing platform at mir-swamp.org that is capable of analyzing over 275 million lines of code each day. With this infrastructure, users can conduct a variety of tests on applications of any size in a timely manner. The SWAMP staff maintains and updates all tools and platforms available in the SWAMP, ensuring that users can focus on testing and not worry about the infrastructure necessary to support testing activities.

The SWAMP’s shared, continuous assurance facility simplifies integrating security into the classroom and software development life cycle by offering a marketplace of open-source and commercial software analysis tools to perform comprehensive security testing on your own applications. A library of public applications with known vulnerabilities is also provided for download, testing, and assessment. Research has shown that it is necessary to use more than one tool when testing a software package to ensure that secure coding practices were followed and that there are no vulnerabilities in the application. In the SWAMP, results from multiple testing tools are compiled into a single integrated viewer that presents identified weaknesses in a way that helps users prioritize and fix each error in the code. As weaknesses are addressed, software applications become more secure but should be reassessed to ensure that no new weaknesses were introduced during the remediation process or throughout the software development life cycle.

Join the SWAMP by creating an account or logging in through GitHub, Google, or CILogon. Next, upload your own software packages written in Java source, Java bytecode, C/C++, Python, Ruby on Rails, Android Mobile Code, PHP, JavaScript, HTML, CSS, XML, or .NET on Linux, or select a public package hosted in the SWAMP. Then, choose one or more tools to schedule an assessment run. Finally, review the results in one of the results viewers. Project ownership allows you to invite other SWAMP users to collaborate on software assessments and results remediation. All SWAMP activities are kept confidential (SWAMP Privacy Policy) to protect each user’s intellectual property.

Tool Development

According to research from the National Institute of Standards and Technology (NIST) and the National Security Agency Center for Assured Software, it takes a multitude of different tools to comprehensively assess an application’s weaknesses. But even then, some may go undetected. To improve the state of software assurance as a whole, it is necessary to improve the tools used for testing.

Beyond providing a secure and powerful platform to test software applications for vulnerabilities, the SWAMP can serve as an online laboratory that tool developers can use to improve the precision and scope of their tools. Tool developers can contact the SWAMP to integrate their tools for private testing or public use. Once a tool is added, the developer can assess their own applications or leverage over 500 open-source software packages hosted in the SWAMP to test the effectiveness of the tool. The curated set of packages hosted in the SWAMP includes 286 from the NIST Juliet Test Suite and 12 BugInjector packages containing over 9700 versions or test cases. This is a growing list of public packages which represents the programming languages supported in the SWAMP.

List of Tools Available in the SWAMP

List of Platforms Available in the SWAMP

List of Curated Public Packages Available in the SWAMP