Because Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code"
During my own time at NASA in the 1980s, Linux was introduced. Soon thereafter, the first Linux supercomputer architecture, Beowulf, was created at Goddard Space Flight Center (GSFC) in 1995. More recently, in 2010, the popular open-source cloud program OpenStack, got its start as a joint project between RackSpace and NASA.
So it is that government agencies have long both used and created "open-source" software. What's been missing, and what the SWAMP tries to provide, is a centralized way of checking the code for errors and security problems.
While SWAMP is funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project.
The SWAMP servers themselves are hosted at the Morgridge Institute in Madison, WI. At the Institute, the clustered servers are kept at a secure facility. The SWAMP cluster currently has 700 cores, 5TBs of RAM, and 100TBs of storage to meet the continuous assurance needs of multiple software and tool development projects. SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program.
These tools currently are:
FindBugs: Identifies errors in Java programs using Java bytecode rather than source code.
Cppcheck: Detects bugs usually missed by compilers in the C and C++ languages.
According to SWAMP, "These static analysis tools review program code and search for application coding flaws, unintentional or intentional, that could give hackers access to critical company data or customer information. Each of them has been proven to be an effective SwA measure. The new interfaces make it easy for software developers to apply one or many of these tools to a single software package."
The Juliet Test Suite is a collection of over 81,000 synthetic C/C++ and Java public domain programs with known flaws. These known flaws are used to test the effectiveness of static analyzers and other software assurance tools. The Juliet Test Suite covers 181 different Common Weakness Enumerations (CWEs) and also includes similar, but non-flawed, code to test tool discrimination.
Beyer added that the SWAMP team "keeps the tools updated and supported for dozens of versions of Linux to test again. Simultaneously, thanks to its integrated viewer for all its tools the SWAMP is easy to use." SWAMP's testing suites can be used at no cost by both government and other programmers.
"Software has become a core fabric to all aspects of our lives. It is integral in the operation of our home appliances, embedded devices, point of sale systems, unmanned aerial vehicles, and of course, our mobile devices; and we must not forget that software powers our critical infrastructure. The ubiquitous nature of software makes us all vulnerable and susceptible to potential attacks," said Software Assurance Manager Kevin E. Greene of DHS S&T in a prepared statement. "DHS S&T recognizes the importance of software; the SWAMP is a response to better protect this nation and improve the quality of software that powers our critical infrastructure, the Internet, and our daily lives."
“Because the network perimeter has been successfully secured to a great degree, most malicious attacks are now directed at applications, making the need to assess software more critical than ever,” concluded Beyer. “SWAMP provides easy access to a powerful platform that lowers the cost and complexity barriers of software assurance. It allows today’s software developers and security professionals to increase the level of confidence that their software is free from vulnerabilities either intentionally or accidentally designed into the software during its lifecycle. Now, today’s professionals have an array of tools to help ensure their software functions in the intended manner.”
Oh, and because I know some of you are wondering "How can I trust my code to the DHS!? Beyer assured would-be users that, "All SWAMP activities performed by users are kept completely confidential. The only one who sees your code are you and the SWAMP system administrators. In no way does testing your programs on SWAMP give the government any access, control, or rights to your programs."
Personally, while I still think the DHS is an unlikely sponsor for this project — the National Security Agency (NSA) or NIST seem like its more natural home — I think the SWAMP sounds like a very useful one-stop for anyone wanting to double-check their pre-production code for errors before release.