In response to an interesting article on Contrast Security on libraries and application security, SWAMP Chief Scientist, Dr. Barton Miller elucidates on how the SWAMP will augment appsec:
“Thank you Dave for stressing the importance of libraries when thinking about software assurance. This is certainly an issue that has motivated our approach to building the code assessment capabilities of the SWAMP.
We fully share your view that the issue of vulnerabilities in libraries is a serious and challenging problem. This has been well noted by the security research community and is seen in CWE and CVE reports associated with popular libraries. And run-time (dynamic) tools are an important element of the solution to this problem.
In the SWAMP, we are taking a security-in-depth approach that enables software developers to combine both static and dynamic techniques when continuously assess their code. In the static domain, this means the detection of libraries dependences at build time (a technology that the SWAMP supports) and then assuring that all components are assessed. This approach can be made quite tractable by recording with library versions have already been assessed and reusing those results. In the dynamic domain, this means running tools that will follow execution into these dependence libraries and assess them.
As we move to include dynamic tools in the SWAMP, we would be happy to see a tool like Contrast include in the selection of tools that are part of our evolving marketplace.”