Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing

cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.

Re:No thanks.

[jfdavis668]

If your system is open source, they can just go get your code. It would still be useful if they point out your problems.

Looks good to me

[Mostly+a+lurker]

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.

Re:Looks good to me

What a shame they have no credibility with the people that would benefit from this.

Re:Looks good to me

[jasno]

Actually, my first thought is why isn't the NSA doing this?

Securing our nation's information infrastructure is one of their core missions(along with spying on OTHER nations, which I also think they should be doing, instead of spying on US). They have the talent to be able to do it effectively.

Re:Looks good to me

[aztracker1]

For those, like yourself, that don't already know CERT is now under DHS. CERT has some pretty big credibility.

Re:Looks good to me

[some+old+guy]

CERT had some pretty big credibility.

FTFY

Re:Looks good to me

[arglebargle_xiv]

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.

Barely. If you look at what they're offering it's FindBugs, clang, gcc, and cppcheck. Completely bog-standard tools that anyone should be using anyway, but they're being paid $23M taxpayer dollars for it. Shee-it, I could do the same thing with $10K to cover the cost of renting some EC2 space, and I'll spend the remaining $22.99M on coke and hookers (seriously, how can they have spent $23M on this? One person could set it up in a few hours, the only constraint is how many VMs you need to spin up if lots of people sign up for it).

This looks very much a DHS solution, vast sums of money spent on something that should be nearly free. Not to mention that while gcc -wall, clang, and FindBugs aren't bad as far as free software goes, they're nowhere near the level of commercial offerings like Fortify, Coverity, and others.

OK, so in terms of cost/benefit it's more of a TSA solution then strictly a DHS solution.

No Windows or C# support yet

[xxxJonBoyxxx]

It's a neat project covering C, C++, and Java and a little Objective C and Javascript, but it doesn't cover C# or Windows yet. (https://continuousassurance.org/tool-selection/)

Unfortunately, in my world C#/Windows is where a lot of the business-facing open source action is, especially with the advent of NuGet.

For widely used open source, great. I'll use it.

[raymorris]

When I write open source software in C, and expect it to be widely distributed, I may use the service.
I wouldn't submit PROPRIETARY software, probably, but code I submit to Apache or something like that isn't exactly. If NSA or someone reacts to analyze the Apache source, they'll do that without me submitting it. By running static analysis on my code, I can learn about potential issues and fix them.

WTF?

[gstoddart]

Do the DHS seriously believe they have any credibility in this area?

At this point, I assume if they find any exploits they'll keep them secret and use them themselves.

Sorry guys, but once you became the enforcement arm for copyright, you lost all credibility.

What they're not telling you

[timrod]

What DHS isn't telling you is that they're secretly submitting anything given to them via SWAMP to a secret NSA partner program known as SHREK (Security Holes for Recapturing Encryption Keys) and the FBI's version of the same program, known as DONKEY (Domestic Onion-Router Key Capture) which will attempt to overthrow the TOR project.

The real question is, what is anyone doing putting their code in the SWAMP?

QA

[jones_supa]

Quality assurance is the #1 thing that open source software needs in spades. There's a lots of buggy stuff out in the OSS world. Sure, it is mildly nauseating that DHS is the one doing this, but still I am all for it.

Coverity

[__aapopf3474]

I trust Coverity's Scan program far more than I'll trust the organization that continues to promote security theater. DHS has no business in this area. This is typical over expansion of a bloated bureaucracy.

Made by humans for humans.

[zeroeth]

<tt>I worked on this project. You should glance at who is involved before donning the tinfoil hats. https://continuousassurance.org/about-us/the-team/<br><br>It's an education grant with several phd's who study various CS security subjects (fuzzing, dynamic, static analysis). Built by a bunch of nice nerds employed by the Morgridge Institute http://discovery.wisc.edu/home/morgridge/morgridge.cmsx which is part of University of Wisconsin Madison.<br><br>QA/Testing is the black sheep of the coding universe, and trying to get those tools running can be a pain sometimes. Anything that makes it easier (Swamp, Travis, etc) makes our universe a better place.</tt>

Re:Made by humans for humans.

[Actually,+I+do+RTFA]

Why are the tools being run remotely, as opposed to, for instance, being all nicely packaged into an image I can download and boot from locally. I understand the benefits of keeping statistics as code improves, etc. but it seems that a "paranoid developer" mode would fit nicely with the mission of improving code security. Esp. since those developers tend to do a lot more NIH of basic parts.

Additionally, and more relevantly, some of my work is done on a laptop as I move around, and being able to do some Q/A work when away from the Internet would be useful.

DHS sucks balls

[AndyKron]

Anybody who trusts the Department of Homeland Security is a fucking idiot.

No new tools. Low-budget operation

[Animats]

All they're offering are some existing tools, ones you can get for free. The main ones are the Clang static analyzer and Cppcheck. They're not offering free access to some of the better, and expensive, commercial tools.

Cppcheck is basically a list of common errors, expressed as rules with regular expressions. Clang is a little more advanced, but it's still looking for a short list of local bugs. Neither will detect all, or even most, buffer overflows. They'll detect the use of "strcpy", but not a wrong size to "strncpy".