The Department of Homeland Security (DHS) has launched a Web portal aimed at assisting software developers in vetting their code for weaknesses hackers can exploit. The DHS calls this portal the Software Assurance Marketplace, or SWAMP for short. It’s not a ‘marketplace’ in the sense that money is changing hands for products and services, but rather more a place to share tools, techniques and information.
“We want to be able to assist software developers to be able to vet their code for weakness, such as Heartbleed,” Kevin Greene, SWAMP’s program manager in the cyber security division of the Science & Technology Directorate of the Dept. of Homeland Security. SWAMP just launched a few months ago with the purpose of aggregating code-testing tools for general use and to improve them. None of the static analysis tools that SWAMP identified would have been able to detect the Heartbleed Bug, Greene points out.
We want to be able to assist software developers to be able to vet their code for weakness, such as Heartbleed
— Kevin Greene, Department of Homeland Security
“We want to find breakthroughs in software analysis,” he says. In addition to making software security testing tools available, SWAMP has set up a way to let registered users upload their code to be tested as well in an anonymized fashion in a workflow-based environment. Greene says SWAMP isn’t intended to be strictly about open source, and he would like to see those with strong interest in proprietary tools get involved as well.
One impetus for establishing SWAMP was a internal study done by the National Security Agencythat pointed to inadequacies in both open-source and proprietary code-testing tools, says Greene. That study has not been made public. The National Institute of Standards and Technology has also weighed in on the topic, and these were factors that prompted DHS a few years ago to fund the SWAMP concept under a $5 million five-year contract that runs through 2017. The prime contractor is Morgridge Institute of Research with the University of Wisconsin, University of Illinois and Indiana University as sub-contractors.
Some with ties to open-source are welcoming the SWAMP concept.
“SWAMP is in its infancy but we see the leading indicators of community interest,” says Wayne Jackson, CEO at Sonatype. “Ultimately though, its success depends on innovation. The current generation of tools just aren’t well suited to assessing and improving software with the scale and granularity that the SWAMP infrastructure is able to support.”
Jackson adds that the aspirations of SWAMP are “tremendously important” in seeking to find ways to improve software quality, “especially in the open source realm that is the underpinning of nearly all software development today.”
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org