For the past week I’ve been attending meetings hosted by Department of Homeland Security’s Science and Technology Division. The program managers, like our own Kevin Greene and his staff (shout out to Yolanda!), have planned a highly successful event that fostered meaningful connections. As the SWAMP’s outreach professional, I value human connections above all else, so was pleased that there was ample time allowed for networking.
I met some amazing individuals and teams who are working hard to make our world a safer place by creating security tools, software assurance tools, and research in the field of human factors and identity management. As an American, I feel safer just knowing that this many smart people are on the problem!
I was also excited to talk about the SWAMP and our vision for the future when SWAMP becomes broadly adopted. We are aiming high. We truly believe that with wide adoption, we will see better, safer software applications and better assurance tools. Even more, we believe that these more effective assurance tools will be critical to transforming our SwA ecosystem.
Some reports claim that $320 billion was lost last year due to software failures. Can we imagine a world where developers incorporate continuous assurance practices into their development lifecycle? If this happens, will we see critical vulnerabilities corrected before deployment? And if these are fixed, will we see a safer software ecosystem that is more resistant to malicious attacks?
by Karen Hitchcock
Last week I attended the DHS-sponsored SWA Workshop Nov. 27-29 in Washington D.C. Our DHS program manager Kevin Greene coordinated with workshop director Joe Jarzombek to include two panels in the agenda, one on software assurance tools and the second on the Software Assurance Marketplace.
The first panel included Richard Barry of Kestrel Technology, George Kuan of HRL Laboratories, Jim Kupsch of the UW-Madison’s Middleware Security and Testing Group and Ken Prole of Secure Decisions. I joined the team on the second panel. The panelists represented performers on the DHS’s Broad Agency Announcement 11-02 from the Software Assurance Tools (TTA-1) and Software Assurance Marketplace (TTA-14) Technical Topic Areas.
The whole idea was to engage the SWA community to raise awareness of these DHS initiatives and to get feedback and guidance from the community. While the panels generated a lot of interest and enthusiasm among attendees, more questions were asked, than answers given. Some of the questions included: How will you qualify potential users to avoid getting overwhelmed? What platforms and VMs will be available? (Likely several Linux distros, MacOS and Windows and two popular VM hypervisors.) How will you select the SWA tools available in the SWAMP? How will you deal with different output formats from different tools? Will you include commercial SWA tools? (We hope to.) Will you include reference data sets, as well as complete SW packages? (We expect to host excerpts from the SAMATE Reference Data Set).
During a dinner conversation, we came to realize that while the technical challenges in building and operating the SWAMP are significant, understanding and implementing a compelling business model may be a more significant challenge. Stay tuned to this site as we start answering some of these questions and sharing specific use cases and business models. Also watch our calendar to see where we’ll be engaging the community for more feedback.