Homeland Security gets into software security
PORTLAND — No, I am not making this up. At OSCon, The Department of Homeland Security (DHS), best known to you as the people checking up on you between the airport parking lot and your flight, quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP).
"Why," you ask?
Because Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code"
This is true, but the government has been using open-source software since before the phrase "open source," or even the earlier phrase, "free software" existed. Some of NASA's COSMIC free scientific code collection, for example, dates back to the 1960s and the Veterans Affairs' Veterans Health Information Systems and Technology Architecture (VistA), the first electronic health record (EHR) system, began in the early 1980s.
During my own time at NASA in the 1980s, Linux was introduced. Soon thereafter, the first Linux supercomputer architecture, Beowulf, was created at Goddard Space Flight Center (GSFC) in 1995. More recently, in 2010, the popular open-source cloud program OpenStack, got its start as a joint project between RackSpace and NASA.
So it is that government agencies have long both used and created "open-source" software. What's been missing, and what the SWAMP tries to provide, is a centralized way of checking the code for errors and security problems.
While SWAMP is funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project.
The SWAMP servers themselves are hosted at the Morgridge Institute in Madison, WI. At the Institute, the clustered servers are kept at a secure facility. The SWAMP cluster currently has 700 cores, 5TBs of RAM, and 100TBs of storage to meet the continuous assurance needs of multiple software and tool development projects. SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program.
These tools currently are:
- FindBugs: Identifies errors in Java programs using Java bytecode rather than source code.
- PMD: Finds common programming flaws in Java, JavaScript, XML, and XSL applications.
- Cppcheck: Detects bugs usually missed by compilers in the C and C++ languages.
- Clang Static Analyzer: Finds bugs in C, C++, and Objective-C programs.
- GCC: The Gnu C compiler is used to ensure C and C++ code is syntactically correct.
- CheckStyle: Evaluates a wide variety of programming style rules for Java.
- error-prone: This tool finds violations in Java code using Google’s best practice programming style.
According to SWAMP, "These static analysis tools review program code and search for application coding flaws, unintentional or intentional, that could give hackers access to critical company data or customer information. Each of them has been proven to be an effective SwA measure. The new interfaces make it easy for software developers to apply one or many of these tools to a single software package."
In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite.
The Juliet Test Suite is a collection of over 81,000 synthetic C/C++ and Java public domain programs with known flaws. These known flaws are used to test the effectiveness of static analyzers and other software assurance tools. The Juliet Test Suite covers 181 different Common Weakness Enumerations (CWEs) and also includes similar, but non-flawed, code to test tool discrimination.
Beyer added that the SWAMP team "keeps the tools updated and supported for dozens of versions of Linux to test again. Simultaneously, thanks to its integrated viewer for all its tools the SWAMP is easy to use." SWAMP's testing suites can be used at no cost by both government and other programmers.
"Software has become a core fabric to all aspects of our lives. It is integral in the operation of our home appliances, embedded devices, point of sale systems, unmanned aerial vehicles, and of course, our mobile devices; and we must not forget that software powers our critical infrastructure. The ubiquitous nature of software makes us all vulnerable and susceptible to potential attacks," said Software Assurance Manager Kevin E. Greene of DHS S&T in a prepared statement. "DHS S&T recognizes the importance of software; the SWAMP is a response to better protect this nation and improve the quality of software that powers our critical infrastructure, the Internet, and our daily lives."
“Because the network perimeter has been successfully secured to a great degree, most malicious attacks are now directed at applications, making the need to assess software more critical than ever,” concluded Beyer. “SWAMP provides easy access to a powerful platform that lowers the cost and complexity barriers of software assurance. It allows today’s software developers and security professionals to increase the level of confidence that their software is free from vulnerabilities either intentionally or accidentally designed into the software during its lifecycle. Now, today’s professionals have an array of tools to help ensure their software functions in the intended manner.”
Oh, and because I know some of you are wondering "How can I trust my code to the DHS!? Beyer assured would-be users that, "All SWAMP activities performed by users are kept completely confidential. The only one who sees your code are you and the SWAMP system administrators. In no way does testing your programs on SWAMP give the government any access, control, or rights to your programs."
Personally, while I still think the DHS is an unlikely sponsor for this project — the National Security Agency (NSA) or NIST seem like its more natural home — I think the SWAMP sounds like a very useful one-stop for anyone wanting to double-check their pre-production code for errors before release.
Related Stories: