Tag Archives: Miron Livny

Madison.com Covers SWAMP Launch

Judy Newman, business reporter for the Wisconsin State Journal and Madison.com spent some time talking with CTO Miron Livny, Project Manager Patrick Beyer and Outreach Coordinator, Karen Hitchcock about SWAMP. Here’s her story:

 

February 04, 2014 5:10 am  •  JUDY NEWMAN | Wisconsin State Journal | jdnewman@madison.com | 608-252-6156

A new project based in Madison aims to root out software vulnerabilities that can leave the door open for viruses, website hacking or other forms of cybercrime, estimated as a $100 billion industry.

The SWAMP, or the Software Assurance Marketplace, is a collaboration of the private, nonprofit Morgridge Institute for Research along with UW-Madison, Indiana University and the University of Illinois at Champaign-Urbana.

Armed with a $23.4 million grant from the U.S. Department of Homeland Security, the SWAMP is offering its services — for free — to companies, software developers and consumers.

The goal is to improve software security, said Miron Livny, the SWAMP’s director and chief technology officer.

“The assumption is that in order to accomplish that, we have to offer better tools to find the security defects in software and we have to increase or expand the adoption or the usage of these tools,” Livny said.

The SWAMP has not designed its own security tools, but it has amassed those already available for public use, called open source software, and is making them available to the public. They can identify potential leaks or weaknesses in the software that might let scammers either take over a computer or program it to make mischief or commit fraud.

“The idea is that if you have a piece of software and you want to run it against the tools, you can bring (upload) it to the SWAMP and we will keep everything that you do confidential,” Livny said.

With security breaches over the holidays for retailers such as Target and Neiman Marcus, and more recent breaches involving several major hotel chains, Internet security has become a pressing concern, Livny added.

“This is a national issue. We all recognize how vulnerable our software is,” Livny said.

The SWAMP project has created 27 jobs, including 22 full-time positions in Madison, project manager Patrick Beyer said.

He said the federal grant will keep it operating for at least five years. After that, “it is our hope that based on the value we provide, we will continue to receive government support,” Beyer said.

Read more

SWAMP Is Open for “Business”

Open written on a chalkboard

SWAMP launches IOC

For immediate release: February 3, 2014

National, Shared Software Assurance Facility, “SWAMP,” to Launch February 3, 2014

Madison, WI—Cybercrime is a booming, estimated $100 billion industry in the United States and shows no signs of slowing down. Attackers have an arsenal of weapons at their disposal, including social engineering (e.g. phishing), penetrating weak security protocols and exploiting software vulnerabilities that can serve as an “open window” into an organization’s IT environment. Closing those windows requires effective and accessible tools to identify and root out software vulnerabilities.

 The Software Assurance Marketplace, or the “SWAMP,” has created a resource to address this growing need that will be publicly available and free to the community on February 3, 2014.  Supported by a $23.4 million grant from the Department of Homeland Security’s Science and Technology Directorate, the SWAMP provides a state-of-the-art facility that serves as an open resource for software developers, software assurance tool developers and software researchers who wish to collaborate and improve software assurance activities in a safe, secure environment.  From the very early stages of a project and throughout its entire life cycle, the SWAMP offers continuous, automated access to a rich and evolving set of assessment capabilities.

Located in Madison, Wisconsin and designed by researchers from the Morgridge Institute for Research, the University of Wisconsin-Madison, Indiana University and the University of Illinois, Champaign-Urbana, the SWAMP provides a suite of assurance tools and software packages that serve to identity vulnerabilities and reduce false positives. According to SWAMP’s director and CTO, Miron Livny, “The magnitude of our national software assurance problem requires a comprehensive approach backed by a powerful facility that addresses all dimensions of the problem – integrated education, better tools and wider adoption.”

The initial operating capability of the SWAMP enables the assessment of Java, C and C++ software against five static analysis tools. Results are displayed via Secure Decisions’ CodeDx vulnerability results viewer, which was developed through DHS S&T’s Small Business Innovation Research program (SBIR). According to DHS software assurance program manager, Kevin Greene, “We see widespread adoption of the SWAMP as having a profound, positive impact on software systems and applications that powers our critical infrastructure. Better assurance practices lead to better security, it’s that simple.” He adds, “The SWAMP collaboration is a great example of the public and private sector coming together to advance improvements in software assurance activities to deal with emerging cyber threats.”

The SWAMP’s initial assurance tools include FindBugs, PMD, Clang, CppCheck and GCC and the choice of eight platforms. Over the five-year project, SWAMP will add multiple assessment capabilities including mobile, dynamic and binary analysis tools.

About the Software Assurance Marketplace

The “SWAMP” is a national software assurance resource funded by a grant from the Department of Homeland Security Science and Technology Directorate. Software developers, assurance tool developers, educators and IT professionals can use the SWAMP for free to perform vulnerability assessments.

To learn more about SWAMP, visit continuousassurance.org.

To schedule an interview with SWAMP leadership or for more information, contact Irene Landrum at swamp@continuousassurance.org.

To contact DHS Software Assurance Marketplace’s program manager, Kevin E. Greene: kevin.greene@hq.dhs.gov.

SWAMP is housed in and support by the Morgridge Institute for Research. Collaborators include Indiana University Center for Applied Cybersecurity Research, the University of Wisconsin Computer Sciences and the National Center for Supercomputing Applications through University of Illinois at Champaign-Urbana.

Join us for SWAMP’s Virtual Town Hall Meetings

Executive Session: Prioritizing Software Assurance for Risk Management

We’re getting excited about two events we’re hosting this week in collaboration with T.E.N., Inc. in Atlanta.

Tomorrow, January 22 from 2-3PM ET, our CTO and Director Miron Livny will co-present with NASA Ames Research Center’s Jerry Davis about the importance of software assurance. These two highly accomplished execs will discuss the role of software assurance in risk management and share their own experiences from the academic and government environments. It’s not too late to register and participate in the conversation. Miron and Jerry will be taking plenty of questions from the audience.

Register

Developer Session: Good Security Starts with Software Assurance

For developers, we’re hosting another open session featuring SWAMP’s Chief Science Officer Barton Miller and Cox Communications’ Phil Agcaoili. Both have experiences to share about best tools, practices and the importance of software assurance in the software development lifecycle.

Again, there will be plenty of time for questions from the audience, so please set aside the time to learn more about SwA and the SWAMP.

Register

More information from T.E.N.

Unique Opportunities to Transform the Software EcoSystem

For the past week I’ve been attending meetings hosted by Department of Homeland Security’s Science and Technology Division. The program managers, like our own Kevin Greene and his staff (shout out to Yolanda!), have planned a highly successful event that fostered meaningful connections. As the SWAMP’s outreach professional, I value human connections above all else, so was pleased that there was ample time allowed for networking.

I met some amazing individuals and teams who are working hard to make our world a safer place by creating security tools, software assurance tools, and  research in the field of human factors and identity management. As an American, I feel safer just knowing that this many smart people are on the problem!

I was also excited to talk about the SWAMP and our vision for the future when SWAMP becomes broadly adopted.  We are aiming high. We truly believe that with wide adoption, we will see better, safer software applications and better assurance tools. Even more, we believe that these more effective assurance tools will be critical to transforming our SwA ecosystem.

Some reports claim that $320 billion was lost last year due to software failures. Can we imagine a world where developers incorporate continuous assurance practices into their development lifecycle? If this happens, will we see critical vulnerabilities corrected before deployment? And if these are fixed, will we see a safer software ecosystem that is more resistant to malicious attacks?

by Karen Hitchcock

Miron Livny Speaks at WIN

Miron spoke at the Wisconsin Innovation Network Luncheon on cybersecurity Tuesday, Feb. 26, 2013, along with Josh Bressers of Red Hat.

There were roughly 40 attendees who offered many questions on the general topic of cybersecurity and how the SWAMP will play a role in improving software security.

Josh is the front-end security lead for Red Hat. By front-end he means all the things that make Red Hat software more secure BEFORE it leaves the door. That includes developer education related to secure coding practices (really just getting started here), as well as manual and automated analysis.

After the lunch, Josh spent a bit of time with the MIR SWAMP team and the UW’s Jim Kupsch, discussing broad ways in which Red Hat and SWAMP could potentially collaborate including:

  1. Development, sharing and dissemination of secure coding practice educational materials
  2. Sponsoring or contributing to open source SWA tool development
  3. Using SWAMP for some of their ‘front end’ security operations

Josh also mentioned a Fedora project called Firehose – An Interchange Format for Static Code Analysis Results – a capability we are interested in supporting in SWAMP.