NCSA helps launch resource to fight cybercrime

02.03.14 -

Cybercrime is a booming industry in the United States, estimated at $100 billion, and shows no signs of slowing down. Attackers have an arsenal of weapons at their disposal, including social engineering (or phishing), penetrating weak security protocols, and exploiting software vulnerabilities that can serve as an “open window” into an organization’s IT environment. Closing those windows requires effective and accessible tools to identify and root out software vulnerabilities.

Today (Feb. 3, 2014) the Software Assurance Marketplace, or the “SWAMP,” has released a free public resource to address this growing need. Supported by a $23.4 million grant from the Department of Homeland Security’s Science and Technology Directorate, the SWAMP provides a safe, secure environment for software developers, software assurance tool developers, and software researchers to collaborate and improve software assurance activities. From the very early stages of a project and throughout its entire life cycle, the SWAMP offers continuous, automated access to a rich and evolving set of assessment capabilities.

Designed by researchers from the Morgridge Institute for Research, the University of Wisconsin-Madison, Indiana University and the National Center for Supercomputing Applications (NCSA), the SWAMP provides a suite of assurance tools and software packages that serve to identify vulnerabilities and reduce false positives.

Jim Basney leads the NCSA group that designs identity and access management functionality for the SWAMP. “We have worked with the rest of the SWAMP team to enable convenient and secure access to the SWAMP by its users,” he says. “We are also SWAMP users ourselves—we are assessing NCSA’s MyProxy software using the SWAMP.”

The initial operating capability of the SWAMP enables the assessment of Java, C and C++ software against five static analysis tools. Results are displayed via Secure Decisions’ CodeDx vulnerability results viewer, which was developed through DHS S&T’s Small Business Innovation Research program (SBIR). According to DHS software assurance program manager Kevin Greene, “We see widespread adoption of the SWAMP as having a profound, positive impact on software systems and applications that powers our critical infrastructure. Better assurance practices lead to better security, it’s that simple.” He adds, “The SWAMP collaboration is a great example of the public and private sector coming together to advance improvements in software assurance activities to deal with emerging cyber threats.”

The SWAMP’s initial assurance tools include FindBugs, PMD, Clang, CppCheck and GCC and the choice of eight platforms. Over the five-year project, SWAMP will add multiple assessment capabilities including mobile, dynamic and binary analysis tools.

About the Software Assurance Marketplace

The “SWAMP” is a national software assurance resource funded by a grant from the Department of Homeland Security Science and Technology Directorate. Software developers, assurance tool developers, educators and IT professionals can use the SWAMP for free to perform vulnerability assessments. To learn more about SWAMP, visit www.continuousassurance.org.

To schedule an interview with SWAMP leadership or for more information, contact Karen Hitchcock at 608-513-6566, khitchcock@continuousassurance.org.