The SWAMP: How to avoid the coming software armageddon

A new service has been funded by the DHS that will make multi-tool software assurance testing faster, cheaper, and easier

I have bad news for you: Your applications (and Web applications in particular) are a disaster waiting to happen and that’s on top of the vulnerabilities your network infrastructure already has. According to Naked Security published by  Sophos (the emphasis is mine):

2013 was a bumper year for data loss … In 2164 separate incidents, over 822 million records were exposed, nearly doubling the previous highest year on record (2011). Four of those breaches made the all-time top ten and almost half involved the loss of password data. / Hacking accounted for almost 60% of incidents, and over 70% of leaked records.

In other words protecting your critical infrastructure is already incredibly hard and will continue to become increasingly difficult with hacking being the biggest threat. As for the consequences … they will become progressively more costly to the point where they will eventually have the potential to destroy even the biggest organizations.

But there is something that can be done: Start performing better software vulnerability testing and do so on a continuous, ongoing basis. 

In fact, the issue of poor and inadequate application testing is so serious and such a huge risk to every organization that the US Department of Homeland Security (DHS) has started an initiative targeted on improving the software assurance process. Yes, those people who pat you down at airports to make sure you don’t get on a plane with a bottle of water bigger than a thimble funded the Software Assurance Marketplace (SWAMP) to the tune of $23.4 million to create;

… a state of-the-art software platform designed to serve as an open resource for software developers, assurance tool developers, and researchers to perform continuous software assurance (CSwA) testing in a safe, secure environment. 

The SWAMP was designed and is managed by the Morgridge Institute for Research which acts as the project's prime contractor and cooperates with researchers from the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison.

What the SWAMP offers are tools and support for software developers to help them detect and reduce vulnerabilities and weaknesses and increase quality by simplifying the use of multiple software assurance tools. The use of multiple tools is crucial to the SWAMP SwA strategy because (obviously) no single tool can detect all vulnerabilities in all situations. The SWAMP explains:

There are large human costs associated with selecting, acquiring, installing, configuring, maintaining, and integrating a SwA tool into the development process. These costs can increase exponentially when using multiple SwA tools. Using the SWAMP eliminates these costs, as the SWAMP staff and tool providers manage the tools, and the SWAMP automates the application of the tools. A software package developer simply makes software available for assessment in the SWAMP and then selects the SwA tools to be used for the analysis.

The SWAMP currently hosts:

… almost 400 open source software packages, including 286 packages from the National Institute for Standards and Technology (NIST) Juliet Test Suite. The Juliet Test Suite is a collection of over 81,000 synthetic C/C++ and Java public domain programs with known flaws. These known flaws can be used to test the effectiveness of static analyzers and other software assurance tools. The Juliet Test Suite covers 181 different Common Weakness Enumerations (CWEs) and also includes similar, but non-flawed, code to test for tool discrimination. As tool weaknesses are revealed by using these applications, tool developers can use that information to improve the capabilities of their tools.

The SWAMP also actively fosters community input so that developers and users can cooperate on security improvements.

Another goal of the SWAMP is to encourage and support Continuous Software Assurance (CSwA); the automated,repeated assessment of software by SwA tools. Software developers can schedule recurring software package assessments. By comparing results from one assessment to another, the software package developer can easily detect regressions or improvements between versions.

To drive this huge testing infrastructure the SWAMP currently has a “state-of-the-art, secure facility offering 700 cores, 5 TB of RAM, and 104 TB of HDD.“

The SWAMP currently supports applications written in C/C++, Java (source and bytecode), and Python (PHP and JavaScript to be added soon) running on Debian Linux, Fedora Linux, Red Hat Enterprise Linux (32 and 64 bit), Scientific Linux (32 and 64 bit), and Ubuntu (with Android, OS X, and Windows on the way). The current roster of SwA tools includes Clang, CPPCheck, ]GCC, FindBugs with FindSecurityBugs, PMD, error-prone, and Checkstyle.

Using the SWAMP is straightforward: After you have registered you upload your project package ..

swamp create assessment small The SWAMP

Creating a SWAMP assessment

… select your target platform and version, package and version, and tools and versions …

swamp create assessment small The SWAMP

Creating a SWAMP assessment

… and then view the results ordered by severity …

swamp code dx results small The Swamp

Results report geberated by the SWAMP

You then fix the issues and run the process all over again, hopefully improving software quality on each iteration.

When you consider how much effort would go into designing, installing, and configuring your own test environment, using the SWAMP instead is a “no-brainer.” So, if you’re developing serious commercial or open source applications and can’t afford to have software vulnerabilities affect your mission you should get involved. The SWAMP offers 24/7 support, 365 days a year and their staff are happy to “help users work through any problems they may be having.“ 

And the best thing about the SWAMP? It’s free!


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2014 IDG Communications, Inc.