On Tuesday Feb. 5, Kevin Greene (DHS Program Manager for SWAMP) and I, presented to the New York City Chapter of the Open Web Application Security Program (OWASP). Kevin provided an overview of DHS’s SWA-focused efforts and I presented SWAMP in more detail.
This was our first chance to share our initial list of open source SWA tools and platforms that SWAMP will host. While most people I talked with after the presentation supported our tool list, a show of hands at the meeting indicated that only about 10% of the audience currently uses one or more of those tools. Perhaps not surprising. The current list of tools is focused on C/C++ and Java. While those are good and still active languages for some open source and many commercial software development projects, many folks pointed out that Ruby (on Rails) and Python are the go-to languages for most open source web development today. We also talked about the growing importance of frameworks and several folks suggested we should consider analyzing those in the SWAMP. Static analysis for interpreted languages like Ruby and Python is a tricky business and tools are limited (Brakeman for RoR was mentioned) and we need to keep our eyes on how best to support these languages which are growing in popularity. Do keep in mind that this is an initial list and we do expect to grow our selection of tools and supported languages over time, as community need warrants.