CybersecuritySWAMP: Improving software assurance activities

Published 30 July 2014

The Software Assurance Market Place, or SWAMP, is an online, open-source, collaborative research environment that allows software developers and researchers to test their software for security weaknesses, improve tools by testing against a wide range of software packages, and interact and exchange best practices to improve software assurance tools and techniques.

The Software Assurance Market Place, or SWAMP, is an online, open-source, collaborative research environment that allows software developers and researchers to test their software for security weaknesses, improve tools by testing against a wide range of software packages, and interact and exchange best practices to improve software assurance tools and techniques.

“The goal of the SWAMP is to aid in the development of a healthier and safer cyber environment, and that starts with creating better quality software,” said Kevin Greene, Department of Homeland Security Science and Technology Directorate (S&T), Cyber Security Division, SWAMP Program Manager. “We’re doing something unique, we’re providing software developers the opportunity to test software and leverage multiple software analysis tools together in one space to improve the accuracy of their results.”

A DHS S&T release reports that SWAMP, built in a high-performance computing environment, allows the users to leverage a wide-range of software packages, test cases, and community projects while addressing weaknesses within the software through an assessment platform comprised of five open-source tools — PMD, FindBugs, CppCheck, GCC, and Clang, as well as more than 100 open-source software packages. In the future, the tool repository will expand to include dynamic and binary code assessments, commercial software analysis tools, new platforms — including mobile — and offer Application Programming Interfaces (APIs) for third-party services and to support continuous integration as part of the software development process.

According to Greene, the SWAMP’s designers went to great lengths to ensure the site was secure, including implementation of identity-based controls to protect submitters’ intellectual property. Software may be submitted either as public or private, based on the submitter’s desired security level. For software packages that are private, only those who are granted access by the project owner may access the results. Public packages rely on a crowdsourcing approach and encourage technical exchange and collaboration, resulting in better quality open-source software.

“Software requires several checks and balances during the development phase. Likewise, if someone is developing software for you, you would need to validate whether that software can be trusted. The SWAMP serves as a resource to vet software and ensure it meets individual security requirements before installed.”

The SWAMP was made available to users in February 2014, and has been drawing a great deal of interest from academia, federal government, industry, and freelance software developers.

Since then, users have been registering and uploading software packages and testing and vetting software for weaknesses that could lead to vulnerabilities. Software developers who test their software early and often can decrease the cost of software failure, weed out common bugs, and contribute to community-wide cyber knowledge.