Cybersecurity: SWAMP Helps Find Software Vulnerabilities

July 30, 2014
The Software Assurance Market Place aims to help software developers make their programs more secure by finding weaknesses such as Heartbleed-like vulnerabilities. 

Cybersecurity is a continuing worry, especially with attacks such as the Stuxnet virus, which reportedly ruined several of Iran's nuclear centrifuges by worming its way into plants' industrial programmable logic controllers (PLCs). An organization called the Software Assurance Market Place or SWAMP aims to help users make their software more secure by finding weaknesses such as Heartbleed-like vulnerabilities.

The program is an online, open-source, collaborative research setting intended to let software developers and researchers test their software for security weaknesses, improve tools by testing against a wide range of software packages, and interact and exchange best practices to improve software assurance tools and techniques.

"SWAMP's goal is to help develop a healthier and safer cyber environment, and that starts with creating better quality software,” says Kevin Greene, Department of Homeland Security Science and Technology Directorate , Cyber Security Division, SWAMP Program Manager.

 SWAMP lets users address weaknesses in the software through an assessment platform comprising the open-source tools PMD, FindBugs, CppCheck, GCC, and Clang, as well as more than 100 open-source software packages. The program intends to expand its tool repository in the future to include dynamic and binary code assessments, commercial software analysis tools, and mobile platforms, as well as provide APIs for third-party services.

According to Greene, the SWAMP designers made sure that the site remains secure by implementing identity-based controls to protect submitters’ intellectual property. Users can submit software either on a public or a private security level. Public packages rely on crowdsourcing to encourage collaboration, resulting in better quality open-source software.

“Software requires several checks and balances during the development phase," says Greene. "Likewise, when someone is developing software for you, you would need to validate whether that software can be trusted. SWAMP serves as a resource to vet software and ensure it meets individual security requirements before being installed.”

 Read the full story