SWAMP expands portfolio of open-access software assurance tools

The Software Assurance Marketplace (SWAMP) has added three new services to its suite of assurance offerings, including support for software written in Ruby, support for Android software written in Java, and access to Parasoft’s Jtest and C/C++test static analysis tools.

The new services are a big step in ongoing efforts by the SWAMP team of researchers, developers, and operators to meet the growing demand for easier access to a diverse range of software assurance capabilities through an open and dependable facility.

Ruby joins Python as the second scripting language supported by the SWAMP and provides the necessary stepping-stone for Ruby on Rails support, scheduled for launch later this summer. Support for the JavaScript and PHP languages is under development. By the end of 2015, the SWAMP facility will support a total of eight languages.

Through a partnership with Parasoft, an independent software vendor, SWAMP users can for the first time include the assessment results of commercial tools in the search for weaknesses in their software. Alongside open source tools, Parasoft’s Jtest and C/C++test are the first commercial static analysis tools to be offered to SWAMP users, bolstering multi-tool support for the Java and C/C++ programming languages.

“With the help of Secure Decision’s Code Dx, Java and C/C++ developers can concurrently use multiple tools to analyze their code,” says Bart Miller, chief scientist of the SWAMP. “These include five tools for Java, four tools for C/C++, and one for Android-specific Java programs.”

Support for Android software opens the door for a new segment of the software developer community to benefit from the SWAMP services, adds Miller. Android application developers that use Java can now use the different tools supported by the SWAMP to continuously analyze their code for potential weaknesses. “Because each tool looks at the software differently, multiple analysis runs increase the likelihood of finding a weakness or vulnerability in the software being scanned,” says Miller.

Arthur Hicken, chief evangelist of Parasoft, says that static code analysis has proven to be the best technology to help software development teams get out in front of security problems and harden their code.

“We’re excited to be working with the SWAMP and having our static analysis tools included in their offerings,” Hicken says. “The opportunities for developers to produce better code, as well as feedback for tool vendors such as ourselves, makes everyone’s software more secure.”

Adds Miron Livny, director of the SWAMP, housed at the Morgridge Institute for Research in Madison: “We are very pleased to have Parasoft as partners in offering the open source developer and education communities easy access to a rich and powerful suite of analysis tools. It takes a broad coalition of academic and commercial organizations to increase the impact of software assurance technologies on the security of our infrastructure.”

Four additional static analysis tools — Ruby-lint, RuboCop, Reek, and Android lint — have been added this year, bringing the total to 16 software analysis tools offered by the SWAMP. Over the next quarter, the SWAMP team will continue to add supported languages (JavaScript, Groovy, PHP) and analysis tools (Red Lizard’s Goanna, Brakeman, dawnscanner, CodeNarc, JavaScript Lint, JSHint, PHP CodeSniffer, and RIPS).

About the SWAMP

SWAMP (Software Assurance Marketplace) is a joint effort of four research institutions – Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin–Madison – to advance the capabilities and to increase the adoption of software assurance technologies through an open continuous assurance facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. The SWAMP facility that went live in February 2014 offers free services that include access to 16 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools, project management and automation tools and high throughput computing capacity.