This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Software touches every aspect of our lives today. Not only does it run our office computers and smartphones, it also controls transportation systems, utility grids, weapons guidance systems, medical devices, our personal vehicles, embedded systems of every ilk, and so much more.
As vital as software has become, it's not infallible. After all, it's built by humans, and we are known to make mistakes from time to time.
In today's environment of malicious actors looking for every opportunity to launch a cyber attack, it's absolutely critical that software developers use every tool at their disposal to assess their software for potential vulnerabilities. Large commercial software companies like Microsoft have their own resources to put their software through extensive assurance testing, but smaller developers and open source developers have not had access to the same resources—until now.
Now there is a free online service called the SoftWare Assurance MarketPlace (SWAMP) that software developers can use to put their packages through a battery of tests to check for weaknesses and potential vulnerabilities. The U.S. Department of Homeland Security (DHS) Science and Technology Directorate has funded the SWAMP in order to significantly lower the cost and complexity barriers of software security testing for the industry at large. The overall mission of the SWAMP is to bring a transformative change to the software assurance landscape by providing a national marketplace that provides continuous software assurance capabilities to researchers and developers.
The SWAMP consists of a high-throughput computing platform, open source and commercial security testing tools, and a centralized confidential viewer that prioritizes the found weaknesses to dramatically simplify the remediation process.
Barton Miller, a professor of computer science at the University of Wisconsin-Madison, is the chief scientist for the SWAMP. Miller says that basically anyone who has a software package can upload that package to the SWAMP and start doing assessments of their software. They have access to a variety of testing tools that scan the code and report the weaknesses that the tools are particularly good at finding. He recommends that a developer use multiple tools because each one is good at different kinds of things. The results from all these tools are fed into a viewer that normalizes the results and produces an easy to read report.
"After the assessment runs, the developer can interact with this web-based interface that lets them navigate through the results on their code and try to find the things that are of high interest," says Miller. "The results are categorized from 'most serious' to 'least serious' to help the developer prioritize the remediation work. It's quite a nice resource for the software development community to have at its disposal."
Tool developers also can benefit from using the SWAMP, according to Kevin Greene, Software Assurance Program Manager with DHS. "We have a huge collection of open source software packages and test cases with known weaknesses in the code. These test cases are actively developed to be used as calibration tools to help determine how well tools can detect known weaknesses in code. Also tool developers can run their tools against others in the SWAMP to see how they compare, and use that information to help close the gaps that exist in their tool. The end result is that testing tools get better through this process, which in turns helps the software development industry as a whole."
Another aspect of the SWAMP is that it can be used to educate developers. "If we look at the evolution of software over the last decade or so, the overall quality of software has not improved," says Greene. "I think that is partly because we haven't done the necessary things from an academic perspective to really teach good computer science, good software engineering, and good design principles."
Miller, the college professor, agrees. "Clearly programmers need help," says Miller. " Education is important and the complement to education is giving programmers the tools to help check their code and give them feedback on things they are doing in the program that are going to be risky, or that make it easier for an attacker to own their system." Miller says if a professor wants his class to learn about secure programming techniques, the SWAMP could be used in that role. "Students in a computer security class who want to learn about tools can use the SWAMP. They can run their software against all of the software tools we have uploaded there," explains Miller.
Greene says that the SWAMP will continue to support more environments and coding languages as time goes by. Moreover, the SWAMP is adding several commercial testing tools on September 22 as well as the support of organizations such as OWASP, Veracode and several others to be named soon.
Are you interested in giving the SWAMP a try? It's open for business at https://continuousassurance.org/. To create an account and starting using the SWAMP today, visit https://mir-swamp.org. There's a video tour to help you get started by walking you through creating an account and performing basic functions in the SWAMP.