The Software Assurance Marketplace: A response to a challenging problem

Get a copy of the upcoming book "Secure Operations Technology"

With the steady proliferation of wearable devices and the emergence of the Internet of Things, everyone and everything will eventually be connected by some piece of software. The growing reliance on software makes us all vulnerable and susceptible to cyber attacks.

The more alarming factor in this web of connectivity is that the quality of software is steadily declining. For example, the most recent cybersecurity incidents exposed some serious vulnerabilities in commodity and open-source software products such as Adobe’s product line, Bash, OpenSSL, Microsoft Internet Explorer, Google Chrome and Oracle’s Java. These vulnerabilities continue to exist, in part because of the limited capabilities of software quality assurance tools in detecting weaknesses that are exploitable.

In fact, that’s one of the reasons why the Heartbleed vulnerability found in OpenSSL was around for so long—there were no software quality assurance tools that could detect the weakness that exposed the Heartbleed vulnerability. The numbers don’t lie and in fact, highlight that software today must be better written and designed to meet the growing challenge of software security.

As of September 2014, the National Vulnerability Database – the de facto repository of standards-based vulnerability management data for open-source and commercial software – reported 5,409 vulnerabilities. If you look at the numbers closely, you can see that 2014 just might have the most reported vulnerabilities since 2006. When you factor in the average number of vulnerabilities per month (601), 2014 could actually push the number of reported vulnerabilities close to the 7,000 mark.

This growing vulnerability trend demonstrates how critically important it is to improve software assurance capabilities to address the growing software security concerns and challenges. Developing good, clean code is an essential defense and protection strategy that must be adopted to help secure our systems. Adopting this strategy as part of any software development activity will help improve the overall quality of software. In fact, secure and resilient code provides the first line of defense for organizations looking to protect sensitive information residing on Internet-facing systems. As more and more systems move outside the firewall and network security perimeter, organizations will need to implement secure coding as part of their defense-in-depth strategy.

A response to the software security issue
The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has recognized how critical the state of software security is to the DHS mission. The SoftWare Assurance MarketPlace (SWAMP) is DHS S&T’s response to build the solutions needed to better protect the nation and improve the quality of software that powers our critical infrastructure and Internet communities.

The SWAMP is a free, online, open-source, collaborative research and development environment that provides a host of software analysis resources, assessment services and software assurance capabilities to software developers, tool developers and software researchers. These resources, services and capabilities were designed to assist software developers in vetting their software code for weaknesses.

The SWAMP is a high-throughput platform that enables software developers to use a complementary mix of open-source and commercial software analysis tools simultaneously, without having to learn how to use each individual tool. To date, the SWAMP offers four Java software analysis tools, Google’s Error-Prone, Checkstyle, PMD and Findbugs; three C/C++ software analysis tools known as GCC – GNU Compiler Collection, cppCheck and Clang Analyzer; and eight different platforms for analysis runs. The SWAMP will also offer commercial tools from Veracode, Parasoft, GrammaTech and Goanna Red Lizard in the near future.

This initial set of open-source software analysis tools, along with the commercial tool offerings, enable software developers to leverage the strength of each tool to improve their overall analysis. SWAMP users can also leverage SWAMP’s assessment framework and analysis workflows to gain deeper insight into critical weaknesses that could lead to the discovery and removal of software vulnerabilities.

Raising the bar for software analysis tools
Creating better performing software assurance tools will help improve the adoption rate of these tools. The goal is to get the tools in the hands of software developers early in the software development process. The SWAMP also provides tool developers, those who develop software quality assurance tools and techniques, a resource to improve their tools and techniques. It currently hosts 400 diverse, open-source software packages (Java and C/C++) and test cases with known weaknesses.

Tool developers can use these tools to more accurately identify gaps in their analysis techniques and expand the overall coverage of their tools in terms of number of languages supported and various weakness classes. The unique value of the SWAMP is that it allows tool developers to compare their tool results against other tools, which can provide insight into new techniques and methods for improving their tool(s).

The SWAMP’s vision and beyond
The SWAMP is positioned to be a research lab for software researchers. As with any lab, scientists use the lab to find breakthroughs and advancements in science. In the same light, software researchers can leverage the SWAMP to collaborate with others in the software assurance community. This kind of collaboration can lead to new discoveries, methods, techniques and services that will improve software analysis capabilities and the very way in which software and software tools are developed.

The SWAMP will continue to evolve to offer binary and dynamic analysis capabilities add new software analysis tools and support additional languages, such as JavaScript, Python, PHP and Ruby. In addition to these diverse sets of analysis capabilities, the SWAMP will support the Android and iOS mobile platforms and provide resources and services for vetting mobile applications.

The concept of the marketplace has influenced and shaped the vision for the SWAMP to provide a unique set of services and capabilities that can be leveraged by the software assurance community. Creating a collaborative marketplace presents opportunities for those in the software assurance community to work together to improve and advance the quality of open-source static analysis tools. It provides a forum for using the SWAMP’s analysis capabilities to identify key weaknesses and vulnerabilities that can disrupt the functioning of critical infrastructure and other Internet-related capabilities.

DHS S&T recognizes the critical importance of software security. The SWAMP provides a solution for improving the quality of software that powers our critical infrastructure and Internet communities and strengthening the cybersecurity of our nation.