- 1 PROJECT: Integrating OWASP tools into the SWAMP program for retroactive quality assurance
- 1.1 What is SWAMP (Software Assurance Market Place)?
- 1.2 Mission: Make OWASP Tools part of the SWAMP
- 1.3 Phase One: Verify OWASP tools can be tested and deployed through the SWAMP
- 1.4 Phase Two: Promote the development of OWASP code analysis tools
- 1.5 Phase Three: Continuous and Retroactive automated testing through the SWAMP program
PROJECT: Integrating OWASP tools into the SWAMP program for retroactive quality assurance
What is SWAMP (Software Assurance Market Place)?
The Software Assurance Marketplace (SWAMP) is committed to bringing a transformative change to the national software assurance landscape by providing a national marketplace that provides continuous software assurance capabilities to researchers and developers. By providing Software Assurance (SWA) researchers, tool developers, tool users, and educators who train our workforce a suite of secure and dependable analysis services, SWAMP will reduce the number of vulnerabilities deployed in software. Researchers who develop new SWA tools and methodologies will use the repositories and cyber infrastructure offered by the SWAMP to improve their technologies and tools, while software developers and adopters will use the same services to hunt for vulnerabilities in their software. Educators will use these services to offer hands-on experience in SWA techniques to their students. By facilitating the sharing of tools, techniques, information, experiences, and resources, the SWAMP will:
- Help advance the quality and adoption rate of software assurance tools;
- Lower the threshold for using them; and
- Make it easier to interpret and use the resulting output.
Mission: Make OWASP Tools part of the SWAMP
The Quality Assurance project(see link on more info) within OWASP, aims to help develop OWASP tools to a higher quality standard. OWASP tools can become part of the SWAMP during this process where we aim to:
- Verify and assess flagship code/tool projects to use the SWAMP infrastructure for continuous code analysis against security vulnerabilities
- Verify that they meet the necessary requirements for proper deployment into SWAMP servers for automated assessment
- Make OWASP tools available through the SWAMP for users
- Help promote OWASP tools through the SWAMP to verify vulnerabilities in web applications’ code
- Automate the process of OWASP tools to verify Quality Assurance
Phase One: Verify OWASP tools can be tested and deployed through the SWAMP
The first objective during this phase is to verify that OWASP tools can be indeed build and deployed properly in SWAMP servers The tools to be included in this phase are OWASP candidate flagship Tools/Code written in Java, C or C++ Requirements to deploy these tools in SWAMP are
- Must work on Linux OS (Debian /Fedora/Red Hat/Scientific/Ubuntu)
- Build script written in C++/C or be able to use a simple build code such as : Configure+Make, Cmake, Make for example or a custom script in C/C++
Phase Two: Promote the development of OWASP code analysis tools
Right now SWAMP program focuses on tools that can be deployed in JAVA, C++/C in a Linux environment, however it is in their plan to extend to other languages such as PHP, .NET or Ruby on Rails. OWASP tools that focuses on Code analysis can play a big role here. In order to help these tools become part of the SWAMP program, the following steps can help with this part:
- Help develop OWASP tools to higher quality standards to be part of SWAMP code analysis tools
- Explore the possibilities to obtain grants through DHS for these tools, therefore updating the quality to become part of the SWAMP analysis tools
Phase Three: Continuous and Retroactive automated testing through the SWAMP program
Once OWASP flagship projects are ready to be deployed and eventually, those tools that can execute code analysis for other languages than the ones supported by SWAMP right now, SWAMP environment can be used to help automate most of the testing and verification of code vulnerabilities in OWASP tools. At this phase, this becomes a retroactive process where SWAMP tools are used for code analysis of OWASP tools but at the same time OWASP tools become code analysis tools of the SWAMP.
Phase one==> Starting 9 June until September/October 2014. This is linked to the QA plan: