National, shared software assurance facility, ‘SWAMP,’ launches

Cybercrime is a booming, estimated $100 billion industry in the United States and shows no signs of slowing down.

Attackers have an arsenal of weapons at their disposal, including social engineering (for example, phishing), penetrating weak security protocols and exploiting software vulnerabilities that can serve as an “open window” into an organization’s information technology environment.

Closing those windows requires effective and accessible tools to identify and root out software vulnerabilities.

The Software Assurance Marketplace, or the “SWAMP,” has created a resource to address this growing need that will be publicly available and free to the community beginning today (Monday, Feb. 3).

Supported by a $23.4 million grant from the Department of Homeland Security’s (DHS) Science and Technology Directorate, the SWAMP provides a state-of-the-art facility that serves as an open resource for software developers, software assurance tool developers and software researchers who wish to collaborate and improve software assurance activities in a safe, secure environment.

From the very early stages of a project and throughout its entire life cycle, the SWAMP offers continuous, automated access to a rich and evolving set of assessment capabilities.

Located in Madison, Wis. and designed by researchers from the Morgridge Institute for Research, the University of Wisconsin–Madison, Indiana University and the University of Illinois, Champaign-Urbana, the SWAMP provides a suite of assurance tools and software packages that serve to identity vulnerabilities and reduce false positives.

Miron Livny

According to SWAMP’s director and chief technology officer, Miron Livny, “The magnitude of our national software assurance problem requires a comprehensive approach backed by a powerful facility that addresses all dimensions of the problem — integrated education, better tools and wider adoption.”

The initial operating capability of the SWAMP enables the assessment of Java, C and C++ software against five static analysis tools. Results are displayed via Secure Decisions’ CodeDx vulnerability results viewer, which was developed through DHS Sc&T’s Small Business Innovation Research program.

According to DHS software assurance program manager, Kevin Greene, “We see widespread adoption of the SWAMP as having a profound, positive impact on software systems and applications that powers our critical infrastructure. Better assurance practices lead to better security, it’s that simple.”

He adds, “The SWAMP collaboration is a great example of the public and private sector coming together to advance improvements in software assurance activities to deal with emerging cyber threats.”

The SWAMP’s initial assurance tools include FindBugs, PMD, Clang, CppCheck and GCC and the choice of eight platforms. During the five-year project, SWAMP will add multiple assessment capabilities including mobile, dynamic and binary analysis tools.

DHS Software Assurance Marketplace’s program manager, Kevin E. Greene, can be reached at SWAMP is housed in and supported by the Morgridge Institute for Research.