Department of Homeland Security funds project to improve software security

11.01.12 -

by Nicole Schiffer

Almost everything relies heavily on computers, from the national power grid to physics research and healthcare. The new Software Assurance Marketplace (SWAMP), funded by a $23.6 million grant from the U.S. Department of Homeland Security, aims to strengthen the security of the software used in these and similar endeavors that rely on expanding cyberinfrastructure.

"By its very nature, open-source software allows for rapid progress," says Miron Livny, director of core computational technology at the Morgridge Institute for Research at the University of Wisconsin-Madison and overall SWAMP project lead. "Yet, the collaborative environments that facilitate open-source innovation have offered limited access to tools and resources for continuous cybersecurity assurance."

Jim Basney, a senior research scientist at NCSA, will serve as the project's identity management lead. He will also be in charge of NCSA's contribution. NCSA's role in the project is to provide identity and access management and to facilitate external connections with remote computing facilities and collaborators, says Basney.

"The software assurance facility must enable collaborative access to its services while protecting each user group's sensitive information from disclosure to other users and the public," he says. "Additionally, the facility must be usable together with other systems that are part of the larger software development and assurance workflow."

He says they plan to use a standards-based approach to access so that it is compatible across different systems. Security protocols including SAML and OpenID, which check that you are who you say you are, and OAuth, which checks what level of access you have to a system, will support collaborative use of the facility.

"Open-source software, developed by multiple programmers in collaborative environments, underpins much of the information technology we rely on every day—from communication networks to the databases that manage our personal records," says Livny.

Dr. Umberto Tachinardi, associate dean for biomedical informatics at UW-Madison's School of Medicine and Public Health, said the cybersecurity challenges facing the nation's health care infrastructure have increased in recent years as more medical software has been introduced and connectivity has rapidly expanded.

"Security is paramount to biomedical research and I am very excited that this program is an important step toward new levels of privacy and confidentiality for open-source software used in a variety of medical applications," Tachinardi said.

Initial operating capabilities for SWAMP will include the ability to continuously test up to 100 open-source software packages against five software assurance tools on eight platforms such as Macintosh, Linux, and Windows. The secure research facility will be able to analyze more than 275 million lines of code per day and also will introduce new tools to reduce the "false positive" readings that now limit the effectiveness of software assurance testing methods.