Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing

← Back to Stories (view on slashdot.org)

Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing

Posted by timothy on Tuesday July 29, 2014 @02:11AM from the they'll-take-a-look-see dept.

cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.

67 comments

Min score:

Reason:

Sort:

No thanks. by Anonymous Coward · 2014-07-29 02:15 · Score: 0, Redundant

Oh, sure, after our government has proven how trustworthy and helpful they are, I'm sure I'll be willing to pass my code directly to them! I'm sure they won't at all abuse me nor the code in some way.
1. Re:No thanks. by jfdavis668 · 2014-07-29 02:22 · Score: 3, Insightful
  
  If your system is open source, they can just go get your code. It would still be useful if they point out your problems.
2. Re:No thanks. by Anonymous Coward · 2014-07-29 02:46 · Score: 0
  
  But they wont.
3. Re:No thanks. by Anonymous Coward · 2014-07-29 03:11 · Score: 0
  
  If your system is open source, they can just go get your code.
  Correct. So in that regard, the original AC was wrong.
  
  It would still be useful if they point out your problems.
  That seems like a pretty big "if" there. Probably far more likely is that they would point out their problems. IE, they won't tell you about vulnerabilities they discover, and will even suggest "improvements" you could make that actually add in security holes for them to use.
4. Re:No thanks. by Anonymous Coward · 2014-07-29 03:59 · Score: 0
  
  That's very different. Any information provided to a government entity can and will be used against you. If you honestly believe you can trust the government to handle anything without at least attempting to screw you over, you're a fool.
5. Re:No thanks. by Anonymous Coward · 2014-07-29 04:22 · Score: 0
  
  Is this a proper role for government? Or, since someone else is paying for a perceived benefit, is it okay to exceed the narrowly defined powers granted to the Federal government by the States and the people?
  By the way, did you get your free government cell phone?
6. Re:No thanks. by Anonymous Coward · 2014-07-29 04:37 · Score: 0
  
  They use five open-source static analysis tools, you can check your code yourself.
7. Re:No thanks. by jfdavis668 · 2014-07-29 06:50 · Score: 1
  
  Any information NOT provided to a government entity can also be used against you. What difference does it make? Unless your code is designed to hack into bank systems and steal account information, I don't see the difference it would make.
No thanks by Dishwasha · 2014-07-29 02:15 · Score: 0, Troll

The NSA is already proactively doing this for me.
how about no by Anonymous Coward · 2014-07-29 02:20 · Score: 1

I trust the DHS as much as I trust the NSA.
Looks good to me by Mostly+a+lurker · 2014-07-29 02:22 · Score: 3, Insightful

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.
1. Re:Looks good to me by Anonymous Coward · 2014-07-29 02:27 · Score: 2, Insightful
  
  What a shame they have no credibility with the people that would benefit from this.
2. Re:Looks good to me by disposable60 · 2014-07-29 02:55 · Score: 1
  
  Or with anyone not benefiting directly from their vendor base's campaign contributions to your congresscritters.
  Oh, and the FNC audience.
  
  --
  You're looking for quotes? See my journal.
3. Re:Looks good to me by jasno · 2014-07-29 02:56 · Score: 2
  
  Actually, my first thought is why isn't the NSA doing this?
  Securing our nation's information infrastructure is one of their core missions(along with spying on OTHER nations, which I also think they should be doing, instead of spying on US). They have the talent to be able to do it effectively.
  
  --
  
  http://www.masturbateforpeace.com/
4. Re:Looks good to me by Anonymous Coward · 2014-07-29 02:59 · Score: 0
  
  Why do I get the feeling that the only people who will submit their apps are those who are "worried" about security, but not smart enough to know better then submit it to a nameless bureaucracy? It almost seems like a honey pot. The only reason police catch a lot of criminals is because they are stupid. A smart criminal can get away with a lot.
5. Re:Looks good to me by aztracker1 · 2014-07-29 03:10 · Score: 2
  
  For those, like yourself, that don't already know CERT is now under DHS. CERT has some pretty big credibility.
  
  --
  Michael J. Ryan - tracker1.info
6. Re:Looks good to me by Anonymous Coward · 2014-07-29 03:33 · Score: 0
  
  The DHS has zero credibility. That they pull some non-scumbag organizations in with them is irrelevant.
7. Re:Looks good to me by Zero__Kelvin · 2014-07-29 03:35 · Score: 1
  
  What makes you say that? You seem to be assuming that they are both competent and well meaning. These are two assumptions that are specious at best. Somewhere there are some DHS droids laughing their ass off: can you believe it. We even called it SWAMP and the morons still did the work of ferreting out software to find holes in for us!"
  
  I almost don't feel sorry for the people stupid enough to fall for this scam.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
8. Re:Looks good to me by some+old+guy · 2014-07-29 03:37 · Score: 2
  
  CERT had some pretty big credibility.
  FTFY
  
  --
  Scruting the inscrutable for over 50 years.
9. Re:Looks good to me by Zero__Kelvin · 2014-07-29 03:37 · Score: 1
  
  "Actually, my first thought is why isn't the NSA doing this?
  Actually, my first thought was that they are, and that they're calling their initiative SWAMP Thing. Perhaps you missed the stories of agencies performing the tasks that others cannot and then "sharing" their data?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
10. Re:Looks good to me by arglebargle_xiv · 2014-07-29 04:10 · Score: 2
  
  The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.
  Barely. If you look at what they're offering it's FindBugs, clang, gcc, and cppcheck. Completely bog-standard tools that anyone should be using anyway, but they're being paid $23M taxpayer dollars for it. Shee-it, I could do the same thing with $10K to cover the cost of renting some EC2 space, and I'll spend the remaining $22.99M on coke and hookers (seriously, how can they have spent $23M on this? One person could set it up in a few hours, the only constraint is how many VMs you need to spin up if lots of people sign up for it).
  This looks very much a DHS solution, vast sums of money spent on something that should be nearly free. Not to mention that while gcc -wall, clang, and FindBugs aren't bad as far as free software goes, they're nowhere near the level of commercial offerings like Fortify, Coverity, and others.
  OK, so in terms of cost/benefit it's more of a TSA solution then strictly a DHS solution.
11. Re:Looks good to me by suutar · 2014-07-29 05:07 · Score: 1
  
  Because "be able to attack others" always winds up being a higher priority than "keep others from attacking us" in a dual-mission agency. It goes along with "the best defense is a good offense" and such mindsets, and it sounds cooler when you're selling your budget to the oversight committee.
12. Re:Looks good to me by Anonymous Coward · 2014-07-29 05:32 · Score: 0
  
  Perhaps they know it costs no money, and are funneling that funding elsewhere...
  or maybe they are incompetant..
13. Re:Looks good to me by marka63 · 2014-07-29 12:15 · Score: 1
  
  It saves the government money to consolidate the checking to one place. Otherwise every department would need to do the checking themselves.
  By doing this continuously you end up with releases which are free of known errors.
14. Re:Looks good to me by arglebargle_xiv · 2014-07-29 16:44 · Score: 1
  
  By doing this continuously you end up with releases which are free of known errors.
  Weeellll... you end up with something that's been run through gcc -wall, which is a long way from "free of known errors". Now admittedly "free of known errors" is a nice circular definition meaning "free of things gcc warns about", but even then it's not necessarily the case, there's plenty of code that ships with avalanches of warnings when you build it, but no-one's bothered fixing it up.
  At best, you get something that doesn't produce warnings in gcc and clang. At worst you get code that hasn't been changed from the default release because the maintainers decided none of the warnings were serious.
15. Re:Looks good to me by marka63 · 2014-07-29 16:59 · Score: 1
  
  Actually you get something that has passed several different analyses.
  Silencing "gcc -Wall" is a good thing. Modern gcc versions catch lots of errors. Add to that clang static analysis and others you get pretty reasonable error detection which is what they are aiming for.
16. Re:Looks good to me by jasno · 2014-07-30 02:33 · Score: 1
  
  I had a feeling someone would say something like this...
  According to TFS, the program is for open source code. You know, the code that is already open and scannable by a web crawler. If the NSA wanted to do this for nefarious purposes(and I'm sure they do), they would have(and probably have) started their own program years ago. They don't need you to upload your open source project for them.
  I'm willing to bet the NSA has all the closed-source software source they want as well. I doubt my company's shitty security, for example, is any hindrance to them.
  
  --
  
  http://www.masturbateforpeace.com/
17. Re:Looks good to me by Zero__Kelvin · 2014-07-30 03:20 · Score: 1
  
  You should have paid more attention. This allows, at a minimum, them to not search the whole internet searchning for code. The proles will bring it to them! Why pay someone to look all over the internet for FOSS code and go through the work of pulling it to their servers, when trusting morons will push it for them?
  
  "You know, the code that is already open and scannable by a web crawler"
  Have you ever tried to write a Webcrawler that will crawl the internet and differentiate code from everything else there, determine if it is FOSS, decide if it is still in active development or interesting, etc.? Clearly not. You might think you can easily write an AI Webcrawler, but I assure you that you cannot do it at all.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
No Windows or C# support yet by xxxJonBoyxxx · 2014-07-29 02:23 · Score: 2

It's a neat project covering C, C++, and Java and a little Objective C and Javascript, but it doesn't cover C# or Windows yet. (https://continuousassurance.org/tool-selection/)
Unfortunately, in my world C#/Windows is where a lot of the business-facing open source action is, especially with the advent of NuGet.
For widely used open source, great. I'll use it. by raymorris · 2014-07-29 02:25 · Score: 2

When I write open source software in C, and expect it to be widely distributed, I may use the service.
I wouldn't submit PROPRIETARY software, probably, but code I submit to Apache or something like that isn't exactly. If NSA or someone reacts to analyze the Apache source, they'll do that without me submitting it. By running static analysis on my code, I can learn about potential issues and fix them.
WTF? by gstoddart · 2014-07-29 02:26 · Score: 3, Insightful

Do the DHS seriously believe they have any credibility in this area?
At this point, I assume if they find any exploits they'll keep them secret and use them themselves.
Sorry guys, but once you became the enforcement arm for copyright, you lost all credibility.

--
Lost at C:>. Found at C.
1. Re:WTF? by Anonymous Coward · 2014-07-29 02:37 · Score: 1
  
  At this point, I assume if they find any exploits they'll keep them secret and use them themselves.
  Huh? If it is about open source, they can just download any project and still do that. As a matter of fact, harvesting open source software for vulnerabilities is something which agencies like NSA do all the time.
2. Re:WTF? by 93+Escort+Wagon · 2014-07-29 02:51 · Score: 1
  
  I'm not sure why you're conflating your understandable disgust over the current state of copyright litigation in the US with issues related to code integrity. There's not exactly a lot of common ground there.
  Now if you had mentioned DHS' cozy relationship with the NSA - an organization that most of us expect is actively subverting both code and the standards we rely on - that would make more sense.
  
  --
  #DeleteChrome
typos by raymorris · 2014-07-29 02:30 · Score: 0

When I write open source software in C, and expect it to be widely distributed, I may use the service.
I wouldn't submit PROPRIETARY software, probably, but code I submit to Apache or something like that isn't exactly secret. If NSA or someone wants to analyze the Apache source, they'll do that without me submitting it. By running static analysis on my code, I can learn about potential issues and fix them.
Really! by Anonymous Coward · 2014-07-29 02:30 · Score: 1

Soon it will be illegal to use open source unless it is verified by DHS.
What they're not telling you by timrod · 2014-07-29 02:37 · Score: 2

What DHS isn't telling you is that they're secretly submitting anything given to them via SWAMP to a secret NSA partner program known as SHREK (Security Holes for Recapturing Encryption Keys) and the FBI's version of the same program, known as DONKEY (Domestic Onion-Router Key Capture) which will attempt to overthrow the TOR project.
The real question is, what is anyone doing putting their code in the SWAMP?
1. Re:What they're not telling you by Zero__Kelvin · 2014-07-29 03:39 · Score: 1
  
  "... known as DONKEY (Domestic Onion-Router Key Capture)
  That would be DONKEY Capture, actually.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
QA by jones_supa · 2014-07-29 02:40 · Score: 3

Quality assurance is the #1 thing that open source software needs in spades. There's a lots of buggy stuff out in the OSS world. Sure, it is mildly nauseating that DHS is the one doing this, but still I am all for it.
1. Re:QA by antdude · 2014-07-29 11:29 · Score: 1
  
  I agree. I try to help out by reporting issues that I run into, but I can't do this fulltime since I already have a paying SQA job. ;)
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Coverity by __aapopf3474 · 2014-07-29 02:45 · Score: 4, Interesting

I trust Coverity's Scan program far more than I'll trust the organization that continues to promote security theater. DHS has no business in this area. This is typical over expansion of a bloated bureaucracy.
1. Re:Coverity by Zero__Kelvin · 2014-07-29 03:44 · Score: 1
  
  Agreed:
  
  1) Create a program, and call it SWAMP
  2) Look for problems in the code that is sure to be buggy, as competent developers would never submit code
  3) Announce that OMFG, Open Source is full of holes!
  4) Watch more people stay with Windows due to the misinformation
  5) Power Profit
  
  Look Ma! No ???? step!
  
  What exactly stops them from gathering their own FOSS software? See step 2.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
2. Re:Coverity by Anonymous Coward · 2014-07-29 04:10 · Score: 1
  
  This is just another tool like Coverity, funded by the .gov. There's nothing wrong with it. And competent developers *will* submit code, because competent developers realize that no matter how competent you are and how much you focus on writing correct code, mistakes are inevitable and static analysis tools help mitigate the risk of those mistakes. Competent developers are already using Coverity, and they'll probably sign up for this as well in hopes that there is some non-overlap in the bugs the two sites find.
3. Re:Coverity by Kiwikwi · 2014-07-29 06:24 · Score: 1
  
  Sorry to break it to you, but Coverity's free-open source scanning was originally funded by the DHS. :-)
  After the DHS grant expired in 2009, Coverity continued the service pro bono.
  This new program seems like a step back, though. Now, if the DHS was instead investing in improving the open-source tools, it would make sense.
4. Re:Coverity by __aapopf3474 · 2014-07-29 07:24 · Score: 1
  
  Right you are! In my defense, I think contracting this out to Coverity was one of the rare things that the DHS did that was correct, or at least no horrifically incorrect. I see the DHS as an overgrown bureaucracy that is antithetical to our constitutional rights, especially the fourth amendment (searches). Bureaucracies need to grow to cover up their inefficiencies. Don't get me started on the TSA... Thanks for the correction...
5. Re:Coverity by Kiwikwi · 2014-07-29 09:51 · Score: 1
  
  Well, considering the budget of the DHS, they're going to do the right thing once in a while, purely by accident. ;-)
6. Re:Coverity by NoFlexZone · 2014-08-10 23:37 · Score: 1
  
  That's the plan is to try and raise the bar of open source tools. Actually, there is a use case to support to vendors to bring their tool and run their tool against a wide range of software packages and test cases in the SWAMP. The goal is to create better performing tools and improve tool coverage. I think the SWAMP is an excellent idea.
what a gift! by Cardoor · 2014-07-29 03:56 · Score: 1

hey ya'll - i know these guys have been trying to invade us and everything, but look.. they're nowhere to be seen, and they've left us this SWEET giant wooden horse! i don't know about you, but im thinking it's partytime!! open up them gates and roll that baby in!!
Made by humans for humans. by zeroeth · 2014-07-29 04:12 · Score: 2

<tt>I worked on this project. You should glance at who is involved before donning the tinfoil hats. https://continuousassurance.org/about-us/the-team/<br><br>It's an education grant with several phd's who study various CS security subjects (fuzzing, dynamic, static analysis). Built by a bunch of nice nerds employed by the Morgridge Institute http://discovery.wisc.edu/home/morgridge/morgridge.cmsx which is part of University of Wisconsin Madison.<br><br>QA/Testing is the black sheep of the coding universe, and trying to get those tools running can be a pain sometimes. Anything that makes it easier (Swamp, Travis, etc) makes our universe a better place.</tt>
1. Re:Made by humans for humans. by Actually,+I+do+RTFA · 2014-07-29 04:49 · Score: 3, Insightful
  
  Why are the tools being run remotely, as opposed to, for instance, being all nicely packaged into an image I can download and boot from locally. I understand the benefits of keeping statistics as code improves, etc. but it seems that a "paranoid developer" mode would fit nicely with the mission of improving code security. Esp. since those developers tend to do a lot more NIH of basic parts.
  Additionally, and more relevantly, some of my work is done on a laptop as I move around, and being able to do some Q/A work when away from the Internet would be useful.
  
  --
  Your ad here. Ask me how!
2. Re:Made by humans for humans. by zeroeth · 2014-07-29 06:08 · Score: 1
  
  <tt>The SWAMP is currently just one site, but their eventual goal is that you can install and run it on your own internally, or however you see fit.</tt>
I was told there'd be brogre shitposting by Anonymous Coward · 2014-07-29 04:30 · Score: 0

DONKEY (Domestic Onion -Router Key Capture)
I see what you did ogre there.
I wish I hadn't. Really.
I'm confused by Anonymous Coward · 2014-07-29 04:38 · Score: 0

Wasn't DHS, and the NSA, not a few weeks back saying that FOSS, Linux, and a host of other keywords, put you on a rather negative watch list. Now DHS is sponsoring FOSS code testing portals? Seems the left hand doesn't know what the right hand is doing, or wants!
Okay by DaMattster · 2014-07-29 04:44 · Score: 1

Why would anyone voluntarily help the US Government spy on its people. Fuck Uncle Sam! I won't do anything to help big brother.
DHS sucks balls by AndyKron · 2014-07-29 04:51 · Score: 2

Anybody who trusts the Department of Homeland Security is a fucking idiot.
Re:For widely used open source, great. I'll use it by Actually,+I+do+RTFA · 2014-07-29 04:55 · Score: 1

I think it's probably a good idea to do this to your code even if you don't play on widely distributing it. It can help identify errors in your coding style/skillset. And you know what they say about a stitch in time...

--
Your ad here. Ask me how!
No new tools. Low-budget operation by Animats · 2014-07-29 04:57 · Score: 3, Informative

All they're offering are some existing tools, ones you can get for free. The main ones are the Clang static analyzer and Cppcheck. They're not offering free access to some of the better, and expensive, commercial tools.
Cppcheck is basically a list of common errors, expressed as rules with regular expressions. Clang is a little more advanced, but it's still looking for a short list of local bugs. Neither will detect all, or even most, buffer overflows. They'll detect the use of "strcpy", but not a wrong size to "strncpy".
it's a TRAP! by Anonymous Coward · 2014-07-29 05:09 · Score: 0

If they find N number of bugs.. they will tell you about n-1 or n-2.. the rest they will keep in a database on how to exploit system for the good of America..
Metadata by ThatsNotPudding · 2014-07-29 05:12 · Score: 0

It's about gathering even more metadata about the operators and rat lines within the most dangerous terrorist cell of all: F/OSS (It even *sounds* like ISIS!).
DHS is many different agencies - Coast Guard, FEMA by raymorris · 2014-07-29 05:14 · Score: 1

> Seems the left hand doesn't know what the right hand is doing, or wants!
DHS includes a LOT of hands that don't know what the others are doing. This is a high-level overview of a few of the major sections within DHS:
http://www.dhs.gov/xlibrary/as...
You'll notice it includes agencies as diverse as the Coast Guard, FEMA, health stuff ...
The $60 billion budget for all of the different agencies within DHS is 10% of the total non-defense operational budget of the entire government. So anything the government does, there's a reasonably good chance it's part of DHS.
US-CERT is now part of DHS, and of course US-CERT is the #1 information security organization. One thing CERT is doing is dispensing DHS grant money to pay universities to develop free cybersecurity courses http://niccs.us-cert.gov/ . Some of the courses are quite good.
Projects to audit by Anonymous Coward · 2014-07-29 06:41 · Score: 0

I'll be impressed if they find a remote hole in OpenBSD.
Maybe they can speed along the TrueCrypt audit. (Not that we trust them if they say that it's safe, but if they do find a problem that they report, then great.)
For that matter, let's have them look at LibreSSL, and report what they find there.
Then, give them the OpenSSL code, and that project alone should entirely chew up their grant money before they get finished.
This is a really, really great ide-- wait, I'm am American tax payer. Who's dumb idea was it to spend my money on having an untrustworthy organization do this?
Maybe A Different Tactic? by LifesABeach · 2014-07-29 07:27 · Score: 1

As a Freedom of Information Act Request; have the NSA offer user access ones phone calls? In other words, be a part of the solution...
Made by humans for humans. by Anonymous Coward · 2014-08-10 23:26 · Score: 0

Finally someone with commonsense
Made by humans for humans. by NoFlexZone · 2014-08-10 23:32 · Score: 1

Finally someone with commonsense. The Chief Scientist of the SWAMP is the "father of Fuzzing", Barton Miller.
No new tools. Low-budget operation by NoFlexZone · 2014-08-10 23:34 · Score: 1

Commercial tools are just as bad as open-source. Look at heartbleed, none of the tools found that weakness that led to heartbleed. You have to understand the premise behind the project before making assumptions. There will be commercial tools being offered soon!!!
QA by NoFlexZone · 2014-08-10 23:39 · Score: 1

This will be eventually transitioned to the community to maintain. Think about it... much of software used in government and critical infrastructure is now relying on open-source components. The SWAMP is a response from DHS that says.. software security is a huge problem ... here is a resource to help improve software development activities and raise the quality of tools used to detect bugs and weaknesses.
For widely used open source, great. I'll use it. by NoFlexZone · 2014-08-10 23:42 · Score: 1

Ray Morris... exactly. People are so closed minded. You don't think NSA already know the backdoors and vulnerabilities in popular open-source packages.? lol