Wouldn’t it be great if there was a free portal where every developer could go to test his or her new application for known security weaknesses? All new software has bugs and security holes, and this free resource could help any developer – from government agencies, companies, higher education and independent – identify and remedy security flaws well before the software was released in the wild.
This isn’t wishful thinking – such a free security resource exists today. As reported in an excellent piece by Kelly Jackson Higgins in Dark Reading, just such a portal has been created thanks to a $23.5 million DHS project, through the DHS Science and Technology Directorate. It’s called the Software Assurance Marketplace (SWAMP) portal, and it’s operated by security and software experts at the University of Illinois-Champaign/Urbana, the University of Indiana, the University of Wisconsin-Madison, and the Morgridge Institute for Research in Madison.
The use of SWAMP has risen rapidly, and commercial software security providers have noticed. Discussions are underway to include commercial security software services on SWAMP, to provide users with an integrated, one-stop-shop for security testing.
“There are several commercial providers who would like to participate in SWAMP,” says Miron Livny, director and CTO of SWAMP. “Users could use SWAMP for [these services] if they reached a licensing agreement with the provider.”
SWAMP allows users to conduct static analysis testing, meaning code can be tested without actually executing it. The addition of commercial services is an important step since SWAMP aims to be the place developers bring all of their various software assurance tools into one place, its organizers say. The portal had a “soft launch” this February and recently debuted a more intuitive interface.
There are over 400 open-source software testing packages on SWAMP for developers to use in testing their work. The portal uses the National Institute of Technology’s Juliet Test Suite, which provides public domain software programs containing known vulnerabilities.
SWAMP is another example of DHS taking a more proactive stance towards online security. Working with leading experts in academia, SWAMP aims to make security a primary concern during the software development process, not afterwards. And that can make us all safer online.