Getting to Know the Software Assurance Marketplace (SWAMP) by Pat Beyer

Getting to Know the SWAMP
(Software Assurance Marketplace)
Pat Beyer, Project Manager
Abe Megahed, Web Developer
Ally Miller, Administrative Assistant

View Slide

Software Assurance (SwA) Challenges
• The world is software-centric. There are numerous entry points for a variety of attacks
against confidential data and physical resources. Many software vulnerabilities and
weaknesses exist while more continue to emerge.
• Not enough developers are trained and equipped to build secure code.
• Educators need to expose their students to software assurance technologies.
• Software developers need effective continuous software assurance capabilities to
integrate into their development workflows.
• Consumers of software components need services to evaluate the quality of the
components they deploy or integrate into their software stack.
• Tool developers need an effective means to continuously evaluate their technologies.
• Challenges with software assessment tools:
• Each tool has its strengths, but no single tool is good at everything.
• Configuring, maintaining, and using tools is cumbersome and time-consuming.

View Slide

Goals of the SWAMP
• Simplify and automate the task of applying a broad spectrum of software analysis tools
to software packages throughout the development lifecycle
• Deliver assessment results to the user in a way that is easy to understand
• Lower the obstacles to performing software security assessments
• Provide a resource for organizations and open-source developers to institute software
assurance practices
• Improve software security assessment tools
• Promote continuous software assurance: “Do it early, and do it often.”
• Foster more secure deployed software
• Integrate secure software coding practices into the classroom
• Allow users to collaborate and share SwA products and methodologies
• Serve as a testing and evaluation ground for new and mature software assurance tools
and technologies

View Slide

About Us
• Operational since February 2014
• Funded by a 5-year grant from the U.S. Department of Homeland Security
• A joint effort of 4 research institutions:
• Morgridge Institute for Research (infrastructure, UI, testing)
• University of Illinois Urbana-Champaign (identity management, testing)
• University of Wisconsin-Madison (framework: tools, languages, platforms)
• Indiana University (cybersecurity, support)
• Secure and dependable facility hosted at the Morgridge Institute for Research
• Principal Investigators:
Miron Livny, MIR Jim Basney, UIUC Bart Miller, UW Von Welch, IU

View Slide

Welcome to the SWAMP
• Support for 4 languages: C/C++, Java source, Java bytecode, Python
• Support for 10 platforms: 9 varieties of Linux plus Android
• 12 static software analysis tools are available for public use:
• C/C++: Clang Static Analyzer, CppCheck, GCC warnings, Parasoft C/C++test
• Java: FindBugs with Find Security Bugs, PMD, Checkstyle, error-prone, Parasoft Jtest
• Python: Pylint, Bandit
• Android Lint
• Agreements with 4 commercial tool vendors to add their tools:
• C/C++test and Jtest (Parasoft) are available now
• Code Sonar (GrammaTech), Goanna (Red Lizard), and SAST (Veracode) in 2015
• 400+ software packages are available for public use:
• NIST Juliet and SATE test suites for C/C++ and Java
• SWAMP curated packages
• Supported platforms, tools, and packages are maintained by the SWAMP

View Slide

Welcome to the SWAMP
• The fully-integrated results viewer, CodeDx (Secure Decisions), consolidates and
prioritizes vulnerabilities from multiple tools to significantly simplify remediation
• Support for GitHub identities, uploading packages from repositories, and pulling
packages from public repositories
• Powerful high-throughput computing capabilities: 700 cores, 5 TB of RAM, 104 TB of
HDD space, off-site backup, industry-leading networking technologies
• Scheduling feature for automated continuous software assurance
• Maintain confidentiality of software and results at the discretion of the user
• Managed sharing of tools, software packages, and results
• Audience: Software Developers, Software Assurance Tool Developers, Software
Assurance Tool Researchers, Infrastructure Operators, Educators and Students

View Slide

Key Attributes
• Highly automated
• If you can compile your tool in the SWAMP, all else is automated.
• Secure
• Strong sandboxing: all executions in single-use virtual machines
• Private (if you wish)
• Share your tool, app, or data if and when you choose.
• Open
• Lots of tools, lots of apps, lots of anonymized assessment data
• A resource
• Software to help make your job easier; people to advise you
• A community
• Join and leverage other like-minded users online and in person.

View Slide

A Software Developer’s Goals
• Improve the security and quality of their software
• Do it easily: automated application of SwA tools
• Do it early: incorporate SwA tools throughout the software development lifecycle
• Do it often: continuous assurance
• Develop code that is consistent, stable, reliable, and maintainable

View Slide

What SWAMP Can Do for Developers
• Automates building packages on SWAMP platforms
• Automates assessing software packages in C/C++, Java, or Python with tools in the
SWAMP
• SWAMP-managed SwA tools
• SwA tool from SWAMP user
• Analyzes Results
• View weakness results
• View integrated multi-tool results from the same version of a package
• Compare results between package versions
• Inter-tool result viewing
• Data analytics for software engineering uses
• Protects privacy of results
• New SwA tool types
• Free access to commercial tools for open-source developers

View Slide

A SwA Tool Developer’s Goals
• Improve the quality of the SwA tool
• Find more weaknesses (increase true positives)
• Reduce incorrect reports (decrease false positives)
• Enable continuous assurance
• Increase user base for the tool
• Easy-to-use and powerful interfaces
• Easy integration with a user's software
• Building packages
• Running tools
• Powerful results viewer
• Showcase the tool

View Slide

Capabilities for SwA Tool Developers
• A SwA Tool Developer is a Software Developer
• Automates building tools on SWAMP platforms
• Automates testing against software packages in the SWAMP repository
• Real-world packages
• Synthetic test cases (NIST SRD)
• Developer-provided
• Analyzes results
• View weaknesses
• Compare results to previous runs
• Compare results to other SwA tools
• A repository for results
• Makes tool available to other SWAMP users

View Slide

An Infrastructure Operator’s Goals
• Solve supply chain problems
• Different skills from other communities
• Did not write software
• Probably not a software developer
• May not have source code
• Assurance that software meets the requirements of the acquirer
• Security and quality weaknesses limit
• Accidental or malicious introduction
• Need to apply to the entire chain of software suppliers, whenever an element of that
chain is updated
• Allow the software supplier to share their software assurance process
• Require a high degree of automation and record keeping in the assessment process

View Slide

Capabilities for Infrastructure Operators
• Supports third-party assessments, so SWAMP can provide assurance evidence to
acquirer
• Subscriptions to continuous package assessments
• Results presentation geared towards operator and decision maker, not developer

View Slide

Run the Tools Early, Run Them Often
• Build in assurance from day 1 or the task becomes overwhelming for the programmer:
dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’:
dthread.h:132: warning: unused variable ‘result’
dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’:
src/irpc.C: In member function ‘void
int_iRPC::setState(int_iRPC::State)’:
src/irpc.C:118: warning: unused variable ‘old_state’
src/irpc.C:119: warning: unused variable ‘new_state’
src/irpc.C: In member function ‘bool int_iRPC::saveRPCState()’:
src/irpc.C:714: warning: unused variable ‘result’
dyninst/proccontrol/src/response.h:35,
dyninst/proccontrol/src/int_process.h:39,
dyninst/proccontrol/src/mailbox.C:33:
dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’:
dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’:

View Slide

Continuous Assurance:
Do it Early and Do it Often

View Slide

OWASP & Openness
• OWASP member since 2013
• Establishing the SWAMP as an OWASP Project (application submitted on Jan. 27, 2015)
• GitHub: mirswamp
• Hope to have SWAMP code available to view by the end of February
• Run our own code through the SWAMP
• Managed as an open-source project
• All software is released under Apache 2.0 license
• No-cost software assurance resource available to everyone
• Commercial software analysis tools available to open-source developers at no cost
• Integration of open-source software analysis tools and platforms
• Support for multiple tools/viewers that integrate and interpret the output of SwA
assurance tools
• Vendor-neutral
• Active community interaction to identify trends, promote adoption, and collect feedback
• User needs and input drive SWAMP development!

View Slide

Recent News/Development
• Code reviewed for open-source and OWASP Project submission
• Support for GitHub
• Use GitHub account for SWAMP access
• Pull packages from public repositories
• Support for commercial tool: C/C++test and Jtest from Parasoft
• Support for Python
• Pylint tool
• Bandit tool for Python 2
• Support for Android on Ubuntu platform
• Android Lint tool for Android Java Source
• Updated version of CodeDx
• “No Build” option

View Slide

Development Timeline

View Slide

FEATURES
TOOLS
LANGUAGES / ENVIRONMENTS
OPERATIONAL IMPROVEMENTS
Q1 Q2 Q3 Q4
*Initial functionality will occur by the added date, but increases in functionality will occur over many releases. Multi-step process and is spread out over many
releases.
CY 2014
IOC
CPPCHECK
PMD
Find Bugs
Oink
Clang
C / C++
Java
SAST
Native Results Viewer
V1.05
V1.06
V1.07
V1.08
V1.09
V1.10
V1.11
V1.12
V1.13
Trust and
Reputation
System *
Archie
(Private)
ErrorProne
Checkstyle
Email
Notificatio
ns
iVM
GitHub
Autheticati
on
PyLint
Python
Parasoft
J-Test
C-Test
Automated
Git
Repository
Pulls
Secure Decisions
CodeDx
Maintain / expand reference result sets.
Provide User support
Maintain SWAMP Infrastructure
6 February 2015

View Slide

FEATURES
TOOLS
Q1 Q2 Q3 Q4
releases.
CY 2015
V1.17
V1.18
1.19
V1.20
V1.21
V2.00
V2.01
V2.02
V2.03
VERACODE
V1.14
V1.15
V1.16
Import
External
results
Ability
To make
Results
Public
RedLizard
Goanna
TOIF
Denim
Group
ThreadFix
Dynamic
Analysis
Mobile
Code
Analysis
(iOS)
iOS
OCLint
Objective
C
Mac OSX
C#
C# Tool
TBD
.NET
Windows
JavaScript
Tool
TBD
Javascript
PHP Tool
TBD
PHP
User Tool
Automated
Upload
Commerci
al Tool
TBD
Dynamic
Analysis
Tool TBD
Dynamic
Analysis
Tool TBD
OWASP
Project
Submissio
n
Open
source
repository
Assessmen
ts
Admin
Dashboard
Metric
Reporting
Android
Lint
Reference
Tool
Blue Jay
Plugin
Eclipse
Plugin
Mobile
Code
Analysis
(Android)
Android
Grammatech
Code Sonar
SWAMP
API *
Swamp
Open
Source
release
6 February 2015
Flake 8
Python
tool
Java tool
updates

View Slide

FEATURES
TOOLS
Q1 Q2 Q3 Q4
releases.
V2.04
V2.05
V2.06
V2.07
V2.08
V2.09
V2.10
V2.11
V2.12
V2.13
V2.14
V2.15
Commerci
al Tool
TBD
Commerci
al Tool
TBD
Dynamic
Analysis
Tool TBD
Dynamic
Analysis
Tool TBD
Static
Analysis
Tool TBD
Static
Analysis
Tool TBD
CY 2016
Software
Package
Subscription
s
Summary
results
Reporting
Hybrid
Analysis
Exploit and
Vulnerability
Database
Language
TBD
Language
TBD
Language
TBD
Language
TBD
6 February 2015

View Slide

6 February 2015
Version Release Date
v1.04 3/25/14
v1.05 4/15/14
v1.06 4/29/14
v1.07 6/10/14
v1.08 7/15/14
v1.09 8/19/14
v1.10 9/11/14
v1.11 10/16/14
v1.12 11/24/14
v1.13 12/18/14
v1.14 1/20/15
v1.15 2/10/15
v1.16 3/10/15
v1.17 4/7/15
v1.18 5/5/15
v1.19 6/9/15
v2.00 7/14/15
v2.01 8/11/15
v2.02 9/15/15
v2.03 10/13/15

View Slide

Short Term Vision
• User interface improvements
• Commercial Tool integration:
• Code Sonar (GrammaTech)
• Goanna (Red Lizard)
• SAST (Veracode)
• Plug-ins for IDEs: Eclipse, IntelliJ IDEA, BlueJ
• SWAMP API
• Addition of DAST
• Offer ThreadFix Vulnerability Management Tool (Denim Group)

View Slide

Long Term Vision
• Support for a large variety of commercial and open-source static, binary, and dynamic
analysis tools
• Support for iOS, MacOSX, and Windows platforms
• Support for a large number of programming languages
• Integration with multiple code repositories
• Automated scheduled software analysis of the latest code version in a public or private
repository
• Deployment of local/private SWAMP installations for sensitive software

View Slide

Demo
• Using the SWAMP
• Sneak peek of new UI (Coming next week: Feb. 10th)

View Slide

Demo

View Slide

Contacts
Join the SWAMP at
https://continuousassurance.org!
• Project Manager, Pat Beyer [email protected]
• Web Developer, Abe Megahed [email protected]
• General [email protected]
• SWAMP 24/7 Support [email protected]
1+317-274-3942

View Slide

Thank Yous
• Jonathan Marcil, for inviting us and coordinating our visit
• OWASP-Montreal chapter, for sharing this meeting
• YOU, for your time and attention

View Slide

Questions
• FAQs

View Slide

Getting to Know the Software Assurance Marketplace (SWAMP) by Pat Beyer

Getting to Know the Software Assurance Marketplace (SWAMP) by Pat Beyer

OWASP Montréal

More Decks by OWASP Montréal

Other Decks in Technology

Featured

Transcript