The growing use of open source software in federal IT and the shortcomings of current software analysis tools have led the Department of Homeland Security (DHS) to contribute $23.5 million for an online resource to assess the security of open source software better.
The Software Assurance Market Place (SWAMP) provides a platform for developers to test open source programs and a lab aimed at improving the capabilities of testing tools, which today fall short in spotting weaknesses in software. The facility, which went online in February, is housed at the Morgridge Institutes for Research at the University of Wisconsin, Madison, and is jointly operated with Indiana University and the University of Illinois at Urbana-Champaign.
The SWAMP provides a high-performance platform at no cost to its users. Though it is open to academics and commercial developers, the target market is government developers, said Kevin Greene, software assurance program manager in the DHS Science and Technology Directorate's cybersecurity division. "We really wanted to provide a way for the federal government to do this," Greene said. "Software development is expensive, and we need better capabilities."
By providing a comprehensive resource for software analysis, the DHS hopes to lower the barrier for incorporating effective quality assurance into the software development lifecycle.
[Are you aware of The Security Skills Shortage No One Talks About?]
A convergence of factors in the cyberthreat landscape, including the proliferation of open source software and the growing complexity of programs, spurred development of the SWAMP.
"This introduces a lot of variables we didn't have before," Greene said. Attackers are taking advantage of this by focusing their attention on applications, which are proving a richer source of targets than networks. The need to improve software analysis was underscored by the discovery of the Heartbleed vulnerability, which potentially leaks sensitive information protected by OpenSSL, a widely used program protecting online transactions. The Heartbleed problem stems from a failure to validate two bytes of data.
The weakness is mundane and should have been easy to find, Greene said. But the program's structure "created a significant challenge for current software assurance tools, and we do not know of any such tools that were able to discover the Heartbleed vulnerability at the time of announcement," SWAMP researchers James A. Kupsch and Barton P. Miller wrote in a paper. "The thing to remember is that this is one bug in one program whose structure made the discovery of this bug particularly difficult."
Even under the best of circumstances, finding software flaws is challenging with static code analysis. Tools have different strengths, and no one tool can find all types of weaknesses. A National Institute of Standards and Technology study found that it is rare for the same defect to be detected by three or more tools. And an NSA Center for Assured Software study on 60,000 test cases with nearly 10 million lines of C, C++, and Java code found that only 14% of known software defects were detected, even with multiple tools.
The SWAMP hopes to improve these performances through a standardized platform normalizing the results from multiple static analysis tools (PMD, FindBugs, CppCheck, GCC, and Clang). It also provides more than 400 open software packages for tool developers to test their tools against. Users do not have to calibrate and configure the tools, and the results are standardized using CodeDX, which consolidates and normalizes vulnerabilities detected by different tools.
"We do all of that for you," Greene said. "That lowers the barrier to using them." Even though using multiple tools does not ensure all software weaknesses will be found, the combination should provide better results than using a single tool.
SWAMP users can create public or private projects to test software. With private projects, intellectual property being tested is not shared.
The SWAMP can process 275 million lines of code a day, which Greene said "for the moment gives us plenty of breathing space." It's now running about 650 assessments a week.
In addition to the open source static analysis tools, Veracode, Parasoft, Red Lizard, and Gramma Tech have provided commercial tools for the SWAMP to use. Greene said dynamic analysis tools, which monitor a running application for security faults, will be added to the platform in 2015, and it will be capable of vetting mobile apps in November.
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it? Get the Malware Mutation issue of Dark Reading today.