Software developers get SWAMP'ed, and that's good for software security assurance

Linda Musthaler
By | October 07, 2014

Posted in: Network Security Trends

October is National Cyber Security Awareness Month. The theme of this week's awareness messaging is how to build secure software products, and we've got a great tip on how you can do that.

If you look at the evolution of software, it has changed quite a bit over the last 20 to 25 years. Software is more complex than ever, and the size of software packages has grown. What's more, software has become absolutely pervasive. It's a critical part in almost every aspect of our lives, from home appliances to medical devices to our cars and our infrastructure. Software is a very essential point to everything that we do.

We have seen with recent attacks such as those on the retail sector and other major entities that software has been at the core of breaches. Quite often attackers are able to succeed because they have been able to exploit a particular vulnerability in the software.

This fact is troubling enough when it's a retail store that has suffered the theft of millions of customers' payment data, but consider what would happen if attackers could find and exploit a vulnerability in the air traffic control system or in the systems that run water treatment plants or nuclear power plants. No doubt there are terrorist groups somewhere in the world that would like to have a vector for that kind of attack.

This thought troubled the U.S. Department of Homeland Security so much that its Science and Technology Directorate funded the development and ongoing operation of an online service to conduct software security assessments. The SoftWare Assurance MarketPlace (SWAMP) is designed to significantly lower the cost and complexity barriers of software security testing for the software industry at large.

Officially, the overall mission of the SWAMP is "to bring a transformative change to the software assurance landscape by providing a national marketplace that provides continuous software assurance capabilities to researchers and developers." In short, the SWAMP is a free service available to software developers, tool developers, educators and students to assess their software, scan for weaknesses and potential vulnerabilities, and prioritize the remediation process in order to churn out code that is more secure and less vulnerable to attack.

Here's a simple look at how these diverse groups might use the SWAMP.

Commercial and private software developers can upload their program to the SWAMP and run a battery of assessments on their code. There are both open source and commercial tools available to scan for weaknesses. The developer can choose which testing tools to use. It's recommended to use multiple tools that have strengths in different areas. The raw results of the assessments are run through a process that consolidates and normalizes the results into a single viewer with a standard format. This means the developer doesn't have to become an expert on how to use all of the tools in order to interpret the results from them. The results are categorized from "most serious" to "least serious" to help the developer prioritize the remediation work.

The SWAMP is useful to tool developers as well. By "tools" I mean the products that are used to conduct the security scans on software programs. Tools are software products, too, so their developers need to know how well they work before releasing them to the public. The SWAMP has a large collection of software packages that have been specifically developed with known weaknesses in their code. Tool developers can run their products against these "calibration" packages to see how well they do at identifying the weaknesses as well as how they compare to other tools in the SWAMP. This process serves to make the scanning tools better at identifying potential security lapses in software programs. And by returning these tools to the SWAMP as official scanning tools, tool developers can build a client base from the people and companies that use the tools and choose to bring them in-house.

Educators who teach software design and secure coding techniques and the students who are learning these disciplines can use the SWAMP too. As students develop programs for projects assigned by their professors, they can assess their work and make improvements as they go.

There's yet another group that can benefit from the services offered by the SWAMP. Companies that contract with third party developers to create software can use the SWAMP to validate the quality of the product they have commissioned. Third party developers in the software supply chain can be held accountable for resolving any and all weaknesses that are revealed in the software assessments. Eventually the SWAMP may offer system certification and accreditation services to aid these developers in certifying their products.

The SWAMP has been open for business since the beginning of the year. New resources continue to be added as time goes on. For example, today the SWAMP supports some of the most common programming and languages, including Java, C and C++. Coming online soon will be scripting languages like Python, Ruby, Perl and JavaScript. The SWAMP currently supports Linux environments, and Android, Windows and Mac OS are next to be supported. C# will be added as a supported programming language once the Windows environment is supported. Additionally, the SWAMP is adding several commercial testing tools on September 22 as well as the support of organizations such as OWASP, Veracode and several others to be named soon.

Are you interested in giving the SWAMP a try? It's open for business at To create an account and starting using the SWAMP today, visit  There's a video tour to help you get started by walking you through creating an account and performing basic functions in the SWAMP.

You May Also Be Interested In: