Designed to accelerate the adoption of continuous software assurance practices, the SWAMP facility fills an important niche, as software assurance best practices require the use of multiple testing tools to create a comprehensive view of an application’s weaknesses. According to a NIST research report, different tools find different weaknesses and over two-thirds of detected software defects were only able to be discovered by one tool. The report went on to explain that it was very rare that the same code defect was able to be detected by three or more tools (Report on the Static Analysis Tool Exposition (SATE) IV, January 2013). Additionally, the National Security Agency Center for Assured Software published a separate study of over 60,000 test cases with several million lines of source code (6.5 million+ for C/C++ and 3.2 million for Java) which showed that only 14 percent of the known software defects were able to be detected, even when using multiple tools. To address this deficiency, the SWAMP offers a large collection of both commercial and open-source testing tools to support better software assurance practices and identify a larger array of weaknesses.

List of Tools Available in the SWAMP

Open-Source Tools

After studying data from a wide variety of sources, collecting input from practitioners in the field, and building on the experiences of the SWAMP team members, a collection of open-source static analysis tools is available in the SWAMP today. The SWAMP chooses to integrate tools based on the following:

• They support languages currently available or being integrated into the SWAMP.
• They cover important classes of CWEs such as injections, buffer handling, information leaks, numeric handling, and web deceptions.
• They are at the top of their class for tools of their type.
• Development of the tool does not appear to have stagnated or to have been abandoned.
• They are functionally representative of other tools for the same languages.

If you are an open-source tool developer interested in adding a tool to the SWAMP, please send a request to support@continuousassurance.org with a brief description of your tool and your contact information.

Commercial Tools

Commercial tool vendors are committed to improving software assurance as a whole, and as a result, have offered the use of many of their tools in the SWAMP. This in turn will help advance the state of cybersecurity and improve the resilience of the open-source software relied upon throughout the software community. The following commercial tools will be rolled out, with Parasoft Jtest, Parasoft C/C++test, and GrammaTech CodeSonar available today.

Parasoft’s code analysis for Java (Jtest) and C/C++ (C/C++test) applications help developers prevent and eliminate defects. By employing 15 years of research  resulting in thousands of rules based on industry standards and best practices, testers are able to find code patterns and identify security vulnerabilities quickly. Now available! GrammaTech’s static analysis CodeSonar solution addresses complex embedded developer challenges to eliminate the most costly and hard-to-find defects. Designed for zero-tolerance defect environments, CodeSonar’s advanced static analysis engine typically catches twice as many critical defects as other static analysis tools, while maintaining user-friendly false-positive rates and providing significantly better detection of the toughest defects. Now available! Sonatype‘s Application Health Check tool provides a bill of materials inventory of open source and proprietary components in your code, including security vulnerabilities and license issues.  Coming in 2017. Programming Research‘s static analyzers for C and C++ (QA·C and QA·C++) provide sophisticated bug detection and compliance to coding standards. Coming in 2017.

If you are a commercial tool developer interested in adding a tool to the SWAMP, please send a request to support@continuousassurance.org with a brief description of your tool and your contact information.

Results Viewers

CodeDx

Since it is necessary to use multiple tools to create a truly comprehensive view of a software application’s weaknesses, Code Dx™, an integrated results viewer, provides a critical piece that has been missing in the software assurance process. Until now, there has been no way to automate the aggregation of testing results into a single platform, because there are no standardized naming conventions or severity ratings used across different tools, nor is there a standard format for displaying tool results. Code Dx™ is a software assurance analytics tool that consolidates, normalizes, prioritizes, and displays all of the weaknesses detected by these disparate tools into a centralized viewer.

Code Dx™ enables SWAMP users to visualize and correlate the security weaknesses in their software. In addition, Code Dx™ improves coding processes by tracing weakness to specific areas or lines of code while also providing trend analysis. Developers can achieve an acceptable level of software assurance using a learn-one/use-many tool, while injecting security best practices into the software development life cycle (SDLC).

ThreadFix

The Denim Group‘s ThreadFix results viewer was integrated with the SWAMP in 2016. ThreadFix is a software vulnerability aggregation and management system designed to reduce the time needed to fix software vulnerabilities by providing a centralized view of software security defects. The ThreadFix Community Edition allows users to view assessment results from the Clang Static Analyzer tool run against C/C++ software packages in the SWAMP.

Native Viewer

Developed by the SWAMP, the Native viewer provides a basic, HTML-based summary of the results from a single assessment tool.