The U.S. Department of Homeland Security is seeking participants for the Software Assurance Marketplace (SWAMP), which is expected to open to beta users in January. The ultimate goal for the marketplace is to help protect the nation’s critical infrastructure by improving software used for essential functions, such as electrical power, gas and oil, and banking and finance. Potential participants are invited to register at the continuous assurance website.
The SWAMP offers a collection of software quality assurance tools to help developers test and evaluate their code for weaknesses and vulnerabilities. It also provides tool developers with an environment where they can test, calibrate and improve the ability of their tools to scan a range of languages such as JAVA, C++ and .NET, as well as being able to look at a wide range of weaknesses. Additionally, it is meant to assist software researchers in discovering new techniques and methods to help create better performing assessment tools, and it provides a learning environment for educators and students to better understand how to develop software code.
“The need for SWAMP stems from the fact that software is everywhere. Software powers our critical infrastructure. We’re talking oil and gas, finance, transportation, so there are a lot of key components that are very important. We realize that in order to protect that from our adversaries, we need to have a resilient infrastructure in place, and software is the underlying entry point and attack vector that a lot of our adversaries use to try to compromise our systems,” says Kevin Greene, software assurance program manager, Cybersecurity Division, Science and Technology Directorate, Department of Homeland Security.
Greene says he hopes that up to 500 users will sign up by next year. “In January 2014, we will have our initial operating capability, where we will make the SWAMP available for the public to start using. So, we want to have software available for a limited subset of users to start doing testing, cranking out different things, coming up with some ways we can improve the environment before we fully open it up to the public,” he explains. The SWAMP is a five-year effort, which should become fully operational around the end of the third year, he adds.
Beta users will have access to five software assurance tools, including PMD, FindBugs, CppCheck, Oink and Clang, and more than 100 software packages and test cases for analysis runs, such as Jenkins, K-9, Hadoop and Scribe. “The good thing about those tools is that they are currently being used in the open source community as well as in a lot of operational environments. In terms of the packages, if we can help identify weaknesses in those widely used packages, we’re doing our job in helping the community identify weaknesses and provide them in a way that they can, through a crowdsourcing approach, make changes and fixes so they can funnel those changes back to the software assurance marketplace,” Greene says.
The SWAMP will add major functionality about every six months. In mid-2014, for example, the marketplace will include tools for assessing code used for mobile devices, and six months after that, users will be able to assess binary code. “A lot of times we don’t get the source code. We get the actual binary, so if we get the binary, we need to be able to still provide a mechanism by which users can vet software. We realize the combination of source analysis as well as binary analysis is very important,” Greene explains.
Greene expresses hope that the SWAMP will help address the growing size and complexity of software. “Typically, tools have not been designed to scale, to provide that type of robustness. One of the things I’m trying to figure out through my software assurance program is how we can continue to develop techniques that will keep pace with the changes in software, the complexity, the size. How we can constantly develop techniques that are advancements but that also keep pace with the rapid changes in software,” he says.
Additionally, he foresees the marketplace helping to improve education and awareness. “We want to partner with academia and offer educational opportunities through the SWAMP that provide the awareness and education to develop better software,” he says. “We need community input and involvement so that we can share tools, techniques, resources and experience. Because the SWAMP is a collaborative resource environment, we treat it like a laboratory. This is where people come and collaborate and find new breakthroughs.”
That collaboration also could lead to better assessment tools. “Once we create better performing tools, there is a better chance of software developers adopting the tools earlier in the development process. That will go a long way in reducing the cost of software failures. Typically, they don’t use the tools because the tools don’t perform that well,” he reports. “We want folks who are passionate about software assurance, who are passionate about improving software. But also, we want the small tool developers to be a part of the SWAMP as well, because typically they don’t have the resources to improve their tools.”
Greene predicts that the SWAMP will foster major software assurance advances. “We’re trying to do our job in protecting our nation’s critical infrastructure and providing capabilities to be more proactive instead of reactive to cyberthreats. Along with the technologies I’m developing, I think the SWAMP will definitely be a revolutionary force in the software assurance community. We anticipate advancing some breakthroughs in the SWAMP,” he declares.