The estimated $100 billion-plus cybercrime industry in the United States thrives on rooting out software vulnerability, making the booming open source software market a ripe target.
Typically created as free, collaborative efforts among passionate communities of developers, open source software is now both widespread and highly innovative, producing many household-name applications such as Mozilla, WordPress, Linux, Ruby and Minecraft. But awareness of how to protect open-source code from malicious intent has not kept pace.
The University of Wisconsin–Madison and the Morgridge Institute for Research are home to what may become a transformative cyber-security resource called the Software Assurance Marketplace, or SWAMP. The team is developing an integrated network of assurance tools that provide a simple, one-stop resource for developers. The big advantage is saving open-source developers time and money, while creating more accurate assessments.
Assurance tools identify vulnerable code and provide a high level of confidence that software systems will perform as designed.
“Everyone from a major corporate developer to the guy writing code in his basement is welcome to come in and assess with us,” says Patrick Beyer, project manager for the SWAMP.
The SWAMP will begin beta testing later this month — which is Cyber Security Awareness Month in Wisconsin — with a goal of being live and fully operational by Jan. 27, 2014. Software developers who are interested in joining the beta testing effort are encouraged to contact the team.
“To adequately assess your software, you have to do it within more than one tool and more than one operating system,” says Beyer. “There are free open source assurance tools out there, but you need to download all of them and have them running correctly. It takes a lot of time.”
Given the low awareness of assurance systems, many in the open source community pass altogether on this critical step. “We have set up the SWAMP so that anyone can select a piece of code, load it into our system and run it against any of our assessment tools,” Beyer says. “They will get a confidential assessment report that ranks vulnerability from severe to moderate.”
SWAMP is funded by a $25 million grant from the Department of Homeland Security, which wants to create an assurance culture to improve software running everything from the national power grid to medical devices and medical records. The agency’s overriding goals are greater adoption of assurance standards and better tools for assessment, especially as medical and governmental usage of open-source grows.
A 2013 study sponsored by HP determined that a successful cyber-attack on a company takes an average of $1 million to fully resolve.
Once operational, the SWAMP will turn attention to technology that improves assurance in mobile platforms and explore vulnerabilities in dynamic settings, while software is running.