Software has become a core fabric to all aspects of our lives. It is integral in the operation of our cars, home appliances, medical devices, unmanned aerial vehicles, and, of course, our mobile devices. Beyond that, software powers our critical infrastructure. The dark side of the ubiquitous nature of software is that it makes us all vulnerable. The most recent cybersecurity incidents have exposed vulnerabilities in commodity and open-source software such as Adobe software products, OpenSSL, Microsoft Internet Explorer, Google Chrome and Oracle Java. Part of the reason these vulnerabilities exist can be attributed to the limited capabilities of available software quality assurance tools in detecting weaknesses in software (like the one that led to the Heartbleed vulnerability found in OpenSSL). The need for improved software assurance capabilities is essential, providing a first line of defense in protecting our nation’s critical infrastructure and e-commerce environments. This was further highlighted in a recent article by Cigital Group CTO Gary McGraw entitled, “McGraw on Heartbleed shock and awe: What are the real lessons?” Developing good, clean code becomes part of a defense and protection strategy to help secure our systems. Adopting this strategy as part of the software supply chain, where many organizations use third-party software components and libraries for their software development or acquisition process, will help improve the overall quality of software.
Free Resource for Software Security
The Software Assurance Marketplace, the SWAMP
, is an important resource for improving software development and software assurance activities. Developed with funding from the Department of Homeland Security Science and Technology Directorate (DHS S&T), the SWAMP is a free, online, open-source, collaborative research and development environment that provides resources, services and capabilities to software developers, tool developers, and software researchers. These resources, services and capabilities are designed to assist software developers in analyzing their software code for weaknesses that may lead to vulnerabilities.
The SWAMP currently offers software developers a complementary mix of open-source and commercial software analysis tools. To date, the SWAMP offers four Java software analysis tools, Google’s Error-Prone, Checkstyle, PMD and Findbugs; three C/C++ software analysis tools known as GCC – GNU Compiler Collection, cppCheck, and Clang Analyzer; and eight different platforms for analysis runs. Plans also call for the SWAMP to offer commercial tools.
GrammaTech’s Code Sonar will be one of the first commercial tools offered. The initial set of open-source software analysis tools, along with the commercial tool offerings, will provide software developers the capability to leverage the strength of each tool to help improve the analysis of results, and will leverage the SWAMP’s assessment framework and analysis workflows to help provide deeper insight into critical weaknesses that could lead to the discovery and removal of vulnerabilities found in software.
Improving Software Analysis Capabilities
Creating better performing tools will help improve the adoption rate of software quality assurance tools. The goal is to get the tools in the hands of software developers early in the software development process. The SWAMP provides tool developers, those who develop software quality assurance tools and techniques, a resource to improve their tools and software analysis techniques. It currently hosts over 350 diverse, open-source software packages (Java and C/C++) and test cases with known weaknesses to help tool developers identify gaps in their analysis techniques and expand the overall coverage of their tools in terms of number of languages supported and various weakness classes. The unique value of the SWAMP allows tool developers the opportunity to compare their tool results against other tools, which can provide insight into new techniques and methods for improving their tools.
The SWAMP is positioned to be a research lab for software researchers. As with any lab, scientists use the lab to find breakthroughs and advancements in science. In the same light, software researchers can leverage the SWAMP to collaborate with others in the software assurance community to find breakthroughs and advancements in software assurance research and development activities that can lead to new discoveries, methods, techniques, and services for improving software analysis capabilities and the way in which software and software tools are developed.
A Marketplace Approach for Software Security
The fact that many, if not all, of the static analysis tools (commercial or open-source) had problems detecting or discovering the weakness that led to the Heartbleed vulnerability highlights the need for a collaborative research environment like the SWAMP. The concept of the marketplace has influenced and shaped the vision for the SWAMP, to provide a unique set of services and capabilities that can be leveraged by the software assurance community. Creating a collaborative marketplace presents opportunities for those in the software assurance community to collaborate to improve and advance the quality of open-source static analysis tools; and use the SWAMP’s analysis capabilities to help identify key weaknesses and vulnerabilities that can disrupt the functioning of critical infrastructure and the Internet related to the increased use of open-source software. DHS S&T recognizes the critical state of software security; the SWAMP is a response to better protect this nation and improve the quality of software that powers our critical infrastructure and the Internet communities.
Kevin Greene is with the Cyber Security Division of the Department of Homeland Security’s Science and Technology Directorate where he serves as program manager of the Software Assurance Marketplace.