The Department of Homeland Security’s (DHS) Science & Technology Directorate (S&T) announced this week that the Software Assurance Market Place, or SWAMP, is open for business.
SWAMP is “an online, open-source, collaborative research environment that allows software developers and researchers to test their software for security weaknesses, improve tools by testing against a wide range of software packages, and interact and exchange best practices to improve software assurance tools and techniques,” DHS S&T said.
“The goal of the SWAMP is to aid in the development of a healthier and safer cyber environment, and that starts with creating better quality software,” said Kevin Greene, DHS S&T Cyber Security Division SWAMP Program Manager. “We’re doing something unique, we’re providing software developers the opportunity to test software and leverage multiple software analysis tools together in one space to improve the accuracy of their results.”
According to S&T, “Built in a high-performance computing environment, the SWAMP allows users to leverage a wide-range of software packages, test cases and community projects while addressing weaknesses within the software through an assessment platform comprised of five open-source tools — PMD, FindBugs, CppCheck, GCC and Clang, as well as more than 100 open-source software packages. In the future, the tool repository will expand to include dynamic and binary code assessments, commercial software analysis tools, new platforms — including mobile — and offer Application Programming Interfaces (APIs) for third-party services and to support continuous integration as part of the software development process.
According to Greene, the SWAMP’s designers went to great lengths to ensure the site was secure, including implementation of identity-based controls to protect submitters’ intellectual property. Software may be submitted either as public or private, based on the submitter’s desired security level. For software packages that are private, only those who are granted access by the project owner may access the results. Public packages rely on a crowdsourcing approach and encourage technical exchange and collaboration, resulting in better quality open-source software.
“Software requires several checks and balances during the development phase,” Greene said. “Likewise, if someone is developing software for you, you would need to validate whether that software can be trusted. The SWAMP serves as a resource to vet software and ensure it meets individual security requirements before installed.”
The SWAMP was made available to users in February 2014, and has been drawing a great deal of interest from academia, federal government, industry and freelance software developers S&T said.
“Since then, users have been registering and uploading software packages and testing and vetting software for weaknesses that could lead to vulnerabilities. Software developers who test their software early and often can decrease the cost of software failure, weed out common bugs and contribute to community-wide cyber knowledge,” DHS said.
For more information on the SWAMP, visit https://continuousassurance.org. To access the SWAMP, visit https://www.mir-swamp.org.