Getting to Know the Software Assurance Marketplace (SWAMP) by Pat Beyer

Transcript

1. Getting to Know the SWAMP (Software Assurance Marketplace) Pat Beyer,

   Project Manager Abe Megahed, Web Developer Ally Miller, Administrative Assistant

2. Software Assurance (SwA) Challenges • The world is software-centric. There

   are numerous entry points for a variety of attacks against confidential data and physical resources. Many software vulnerabilities and weaknesses exist while more continue to emerge. • Not enough developers are trained and equipped to build secure code. • Educators need to expose their students to software assurance technologies. • Software developers need effective continuous software assurance capabilities to integrate into their development workflows. • Consumers of software components need services to evaluate the quality of the components they deploy or integrate into their software stack. • Tool developers need an effective means to continuously evaluate their technologies. • Challenges with software assessment tools: • Each tool has its strengths, but no single tool is good at everything. • Configuring, maintaining, and using tools is cumbersome and time-consuming.

3. Goals of the SWAMP • Simplify and automate the task

   of applying a broad spectrum of software analysis tools to software packages throughout the development lifecycle • Deliver assessment results to the user in a way that is easy to understand • Lower the obstacles to performing software security assessments • Provide a resource for organizations and open-source developers to institute software assurance practices • Improve software security assessment tools • Promote continuous software assurance: “Do it early, and do it often.” • Foster more secure deployed software • Integrate secure software coding practices into the classroom • Allow users to collaborate and share SwA products and methodologies • Serve as a testing and evaluation ground for new and mature software assurance tools and technologies

4. About Us • Operational since February 2014 • Funded by

   a 5-year grant from the U.S. Department of Homeland Security • A joint effort of 4 research institutions: • Morgridge Institute for Research (infrastructure, UI, testing) • University of Illinois Urbana-Champaign (identity management, testing) • University of Wisconsin-Madison (framework: tools, languages, platforms) • Indiana University (cybersecurity, support) • Secure and dependable facility hosted at the Morgridge Institute for Research • Principal Investigators: Miron Livny, MIR Jim Basney, UIUC Bart Miller, UW Von Welch, IU

5. Welcome to the SWAMP • Support for 4 languages: C/C++,

   Java source, Java bytecode, Python • Support for 10 platforms: 9 varieties of Linux plus Android • 12 static software analysis tools are available for public use: • C/C++: Clang Static Analyzer, CppCheck, GCC warnings, Parasoft C/C++test • Java: FindBugs with Find Security Bugs, PMD, Checkstyle, error-prone, Parasoft Jtest • Python: Pylint, Bandit • Android Lint • Agreements with 4 commercial tool vendors to add their tools: • C/C++test and Jtest (Parasoft) are available now • Code Sonar (GrammaTech), Goanna (Red Lizard), and SAST (Veracode) in 2015 • 400+ software packages are available for public use: • NIST Juliet and SATE test suites for C/C++ and Java • SWAMP curated packages • Supported platforms, tools, and packages are maintained by the SWAMP

6. Welcome to the SWAMP • The fully-integrated results viewer, CodeDx

   (Secure Decisions), consolidates and prioritizes vulnerabilities from multiple tools to significantly simplify remediation • Support for GitHub identities, uploading packages from repositories, and pulling packages from public repositories • Powerful high-throughput computing capabilities: 700 cores, 5 TB of RAM, 104 TB of HDD space, off-site backup, industry-leading networking technologies • Scheduling feature for automated continuous software assurance • Maintain confidentiality of software and results at the discretion of the user • Managed sharing of tools, software packages, and results • Audience: Software Developers, Software Assurance Tool Developers, Software Assurance Tool Researchers, Infrastructure Operators, Educators and Students

7. Key Attributes • Highly automated • If you can compile

   your tool in the SWAMP, all else is automated. • Secure • Strong sandboxing: all executions in single-use virtual machines • Private (if you wish) • Share your tool, app, or data if and when you choose. • Open • Lots of tools, lots of apps, lots of anonymized assessment data • A resource • Software to help make your job easier; people to advise you • A community • Join and leverage other like-minded users online and in person.

8. A Software Developer’s Goals • Improve the security and quality

   of their software • Do it easily: automated application of SwA tools • Do it early: incorporate SwA tools throughout the software development lifecycle • Do it often: continuous assurance • Develop code that is consistent, stable, reliable, and maintainable

9. What SWAMP Can Do for Developers • Automates building packages

   on SWAMP platforms • Automates assessing software packages in C/C++, Java, or Python with tools in the SWAMP • SWAMP-managed SwA tools • SwA tool from SWAMP user • Analyzes Results • View weakness results • View integrated multi-tool results from the same version of a package • Compare results between package versions • Inter-tool result viewing • Data analytics for software engineering uses • Protects privacy of results • New SwA tool types • Free access to commercial tools for open-source developers

10. A SwA Tool Developer’s Goals • Improve the quality of

    the SwA tool • Find more weaknesses (increase true positives) • Reduce incorrect reports (decrease false positives) • Enable continuous assurance • Increase user base for the tool • Easy-to-use and powerful interfaces • Easy integration with a user's software • Building packages • Running tools • Powerful results viewer • Showcase the tool

11. Capabilities for SwA Tool Developers • A SwA Tool Developer

    is a Software Developer • Automates building tools on SWAMP platforms • Automates testing against software packages in the SWAMP repository • Real-world packages • Synthetic test cases (NIST SRD) • Developer-provided • Analyzes results • View weaknesses • Compare results to previous runs • Compare results to other SwA tools • A repository for results • Makes tool available to other SWAMP users

12. An Infrastructure Operator’s Goals • Solve supply chain problems •

    Different skills from other communities • Did not write software • Probably not a software developer • May not have source code • Assurance that software meets the requirements of the acquirer • Security and quality weaknesses limit • Accidental or malicious introduction • Need to apply to the entire chain of software suppliers, whenever an element of that chain is updated • Allow the software supplier to share their software assurance process • Require a high degree of automation and record keeping in the assessment process

13. Capabilities for Infrastructure Operators • Supports third-party assessments, so SWAMP

    can provide assurance evidence to acquirer • Subscriptions to continuous package assessments • Results presentation geared towards operator and decision maker, not developer

14. Run the Tools Early, Run Them Often • Build in

    assurance from day 1 or the task becomes overwhelming for the programmer: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’ src/irpc.C: In member function ‘void int_iRPC::setState(int_iRPC::State)’: src/irpc.C:118: warning: unused variable ‘old_state’ src/irpc.C:119: warning: unused variable ‘new_state’ src/irpc.C: In member function ‘bool int_iRPC::saveRPCState()’: src/irpc.C:714: warning: unused variable ‘result’ src/irpc.C:723: warning: unused variable ‘result’ src/irpc.C:736: warning: unused variable ‘result’ src/irpc.C:1030: warning: unused variable ‘result’ src/irpc.C:1041: warning: unused variable ‘result’ src/irpc.C:1081: warning: unused variable ‘result’ dyninst/proccontrol/src/response.h:35, dyninst/proccontrol/src/int_process.h:39, dyninst/proccontrol/src/mailbox.C:33: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’

15. Continuous Assurance: Do it Early and Do it Often

16. OWASP & Openness • OWASP member since 2013 • Establishing

    the SWAMP as an OWASP Project (application submitted on Jan. 27, 2015) • GitHub: mirswamp • Hope to have SWAMP code available to view by the end of February • Run our own code through the SWAMP • Managed as an open-source project • All software is released under Apache 2.0 license • No-cost software assurance resource available to everyone • Commercial software analysis tools available to open-source developers at no cost • Integration of open-source software analysis tools and platforms • Support for multiple tools/viewers that integrate and interpret the output of SwA assurance tools • Vendor-neutral • Active community interaction to identify trends, promote adoption, and collect feedback • User needs and input drive SWAMP development!

17. Recent News/Development • Code reviewed for open-source and OWASP Project

    submission • Support for GitHub • Use GitHub account for SWAMP access • Pull packages from public repositories • Support for commercial tool: C/C++test and Jtest from Parasoft • Support for Python • Pylint tool • Bandit tool for Python 2 • Support for Android on Ubuntu platform • Android Lint tool for Android Java Source • Updated version of CodeDx • “No Build” option

18. Development Timeline

19. FEATURES TOOLS LANGUAGES / ENVIRONMENTS OPERATIONAL IMPROVEMENTS Q1 Q2 Q3

    Q4 *Initial functionality will occur by the added date, but increases in functionality will occur over many releases. Multi-step process and is spread out over many releases. CY 2014 IOC CPPCHECK PMD Find Bugs Oink Clang C / C++ Java SAST Native Results Viewer V1.05 V1.06 V1.07 V1.08 V1.09 V1.10 V1.11 V1.12 V1.13 Trust and Reputation System * Archie (Private) ErrorProne Checkstyle Email Notificatio ns iVM GitHub Autheticati on PyLint Python Parasoft J-Test C-Test Automated Git Repository Pulls Secure Decisions CodeDx Maintain / expand reference result sets. Provide User support Maintain SWAMP Infrastructure 6 February 2015

20. FEATURES TOOLS LANGUAGES / ENVIRONMENTS OPERATIONAL IMPROVEMENTS Q1 Q2 Q3

    Q4 *Initial functionality will occur by the added date, but increases in functionality will occur over many releases. Multi-step process and is spread out over many releases. CY 2015 V1.17 V1.18 1.19 V1.20 V1.21 V2.00 V2.01 V2.02 V2.03 VERACODE V1.14 V1.15 V1.16 Import External results Ability To make Results Public RedLizard Goanna TOIF Denim Group ThreadFix Dynamic Analysis Mobile Code Analysis (iOS) iOS OCLint Objective C Mac OSX C# C# Tool TBD .NET Windows JavaScript Tool TBD Javascript PHP Tool TBD PHP User Tool Automated Upload Commerci al Tool TBD Dynamic Analysis Tool TBD Dynamic Analysis Tool TBD OWASP Project Submissio n Open source repository Assessmen ts Maintain / expand reference result sets. Provide User support Admin Dashboard Metric Reporting Maintain SWAMP Infrastructure Android Lint Reference Tool Blue Jay Plugin Eclipse Plugin Mobile Code Analysis (Android) Android Grammatech Code Sonar SWAMP API * Swamp Open Source release 6 February 2015 Flake 8 Python tool Java tool updates

21. FEATURES TOOLS LANGUAGES / ENVIRONMENTS OPERATIONAL IMPROVEMENTS Q1 Q2 Q3

    Q4 *Initial functionality will occur by the added date, but increases in functionality will occur over many releases. Multi-step process and is spread out over many releases. V2.04 V2.05 V2.06 V2.07 V2.08 V2.09 V2.10 V2.11 V2.12 V2.13 V2.14 V2.15 Commerci al Tool TBD Commerci al Tool TBD Dynamic Analysis Tool TBD Dynamic Analysis Tool TBD Static Analysis Tool TBD Static Analysis Tool TBD CY 2016 Maintain / expand reference result sets. Provide User support Maintain SWAMP Infrastructure Software Package Subscription s Summary results Reporting Hybrid Analysis Exploit and Vulnerability Database Language TBD Language TBD Language TBD Language TBD 6 February 2015

22. 6 February 2015 Version Release Date v1.04 3/25/14 v1.05 4/15/14

    v1.06 4/29/14 v1.07 6/10/14 v1.08 7/15/14 v1.09 8/19/14 v1.10 9/11/14 v1.11 10/16/14 v1.12 11/24/14 v1.13 12/18/14 v1.14 1/20/15 v1.15 2/10/15 v1.16 3/10/15 v1.17 4/7/15 v1.18 5/5/15 v1.19 6/9/15 v2.00 7/14/15 v2.01 8/11/15 v2.02 9/15/15 v2.03 10/13/15

23. Short Term Vision • User interface improvements • Commercial Tool

    integration: • Code Sonar (GrammaTech) • Goanna (Red Lizard) • SAST (Veracode) • Plug-ins for IDEs: Eclipse, IntelliJ IDEA, BlueJ • SWAMP API • Addition of DAST • Offer ThreadFix Vulnerability Management Tool (Denim Group)

24. Long Term Vision • Support for a large variety of

    commercial and open-source static, binary, and dynamic analysis tools • Support for iOS, MacOSX, and Windows platforms • Support for a large number of programming languages • Integration with multiple code repositories • Automated scheduled software analysis of the latest code version in a public or private repository • Deployment of local/private SWAMP installations for sensitive software

25. Demo • Using the SWAMP • Sneak peek of new

    UI (Coming next week: Feb. 10th)

26. Demo

27. Demo

28. Demo

29. Contacts Join the SWAMP at https://continuousassurance.org! • Project Manager, Pat

    Beyer [email protected] • Web Developer, Abe Megahed [email protected] • General [email protected] • SWAMP 24/7 Support [email protected] 1+317-274-3942

30. Thank Yous • Jonathan Marcil, for inviting us and coordinating

    our visit • OWASP-Montreal chapter, for sharing this meeting • YOU, for your time and attention

31. Questions • FAQs