The Software Assurance Marketplace (SWAMP) is an effort to help developers build more secure code by providing freely available tools to scan and audit code. SWAMP got its start in 2014 with support for C/C++ and Java and is now expanding to support Python code.
SWAMP is funded by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency, Cyber Security Division (DHS S&T/HSARPA/CSD) and the Air Force Research Laboratory, Information Directorate.
“Overall, the intent of the SWAMP is to lower the entry point of programmers for doing continuous assurance,” SWAMP Project Manager Patrick Beyer told eWEEK. “We’re a facility that allows a developer to upload code and run it against a number of software assurance tools and then get the integrated results of the tools as an output.”
In Beyer’s view, a big value proposition for developers to use SWAMP is the simple fact that the service is freely available. Developers don’t have to support the tools themselves; rather the SWAMP infrastructure hosts all the tools and makes sure they all run properly, Beyer said. SWAMP is using Code DX as a tool to help view the results from multiple analysis tools, to enable developers to compare results, he added.
The SWAMP system also enables developers to easily identify publicly known vulnerabilities and their associated CVE (Common Vulnerabilities and Exposures) identifier. Plus, the system does not share information beyond the developers’ own choices on whom they want to share the scan result information with.
Currently, SWAMP has 12 static analysis tools available for developers to use and in its first year of operation has done more than 50,000 code assessments.
The SWAMP effort isn’t the first time the DHS has funded an effort to help developers build secure code. Back in 2006, the DHS first funded an effort under the title of “Vulnerability Discovery and Remediation Open Source Hardening Project,” which included the participation of Stanford University, Symantec and source code analysis firm Coverity. The Coverity Scan effort still scans open-source code today, though it is no longer backed by a DHS grant. Zack Samocha, director of marketing at Coverity, told eWEEK that Scan now has more than 4,000 open-source software projects, and it continues to grow quickly, adding about 250 new projects each month. Coverity Scan now fully supports C#, Java and C/C++ .
Coverity’s static analysis technology currently is not among the tools available in SWAMP, but Samocha said that Coverity would be happy to explore opportunities to help the open-source software community and join SWAMP.
Beyer noted that there isn’t overlap with Coverity’s Scan effort, since SWAMP is using multiple tools to scan code.
“What we’re trying to do is get developers to develop really good code that’s clean and doesn’t have weaknesses in it,” Beyer said.
Currently, SWAMP’s tools include static analysis technologies that analyze code. SWAMP does not yet perform dynamic analysis of running code, though that will be changing soon. Beyer said the plan is to bring in some dynamic analysis tools toward the end of this calendar year.
“We’re slowly working on it [dynamic analysis]. A lot of it is based on our ability to start up multiple virtual machines and have those machines talk to each other,” Beyer explained. “To do that in a safe and secure manner is still something we’re trying to design correctly.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.