Last week I attended the DHS-sponsored SWA Workshop Nov. 27-29 in Washington D.C. Our DHS program manager Kevin Greene coordinated with workshop director Joe Jarzombek to include two panels in the agenda, one on software assurance tools and the second on the Software Assurance Marketplace.
The first panel included Richard Barry of Kestrel Technology, George Kuan of HRL Laboratories, Jim Kupsch of the UW-Madison’s Middleware Security and Testing Group and Ken Prole of Secure Decisions. I joined the team on the second panel. The panelists represented performers on the DHS’s Broad Agency Announcement 11-02 from the Software Assurance Tools (TTA-1) and Software Assurance Marketplace (TTA-14) Technical Topic Areas.
The whole idea was to engage the SWA community to raise awareness of these DHS initiatives and to get feedback and guidance from the community. While the panels generated a lot of interest and enthusiasm among attendees, more questions were asked, than answers given. Some of the questions included: How will you qualify potential users to avoid getting overwhelmed? What platforms and VMs will be available? (Likely several Linux distros, MacOS and Windows and two popular VM hypervisors.) How will you select the SWA tools available in the SWAMP? How will you deal with different output formats from different tools? Will you include commercial SWA tools? (We hope to.) Will you include reference data sets, as well as complete SW packages? (We expect to host excerpts from the SAMATE Reference Data Set).
During a dinner conversation, we came to realize that while the technical challenges in building and operating the SWAMP are significant, understanding and implementing a compelling business model may be a more significant challenge. Stay tuned to this site as we start answering some of these questions and sharing specific use cases and business models. Also watch our calendar to see where we’ll be engaging the community for more feedback.