Jump to: navigation, search

PROJECT: Integrating OWASP tools into the SWAMP program for retroactive quality assurance

What is SWAMP (Software Assurance Market Place)?

Researchers who develop new software assurance tools and methodologies will use the repositories and cyber infrastructure offered by the marketplace to improve their technologies and tools, while software developers and adopters will use the same services to hunt for vulnerabilities in their software. Educators will use these services to offer hands-on experience in software assurance techniques to their students. By facilitating the sharing of tools, techniques, information, experiences and resources, the Software Assurance Marketplace will:

  • Help advance the quality and adoption rate of software assurance tools;
  • Lower the threshold for using them; and
  • Make it easier to interpret and use the resulting output.

Mission: Make OWASP Tools part of the SWAMP

The Quality Assurance project within OWASP, aims to help develop OWASP tools to a higher quality standard. OWASP tools can become part of the SWAMP during this process where we aim to:

  • Verify and assess flagship code/tool projects to use the SWAMP infrastructure for continuous code analysis against security vulnerabilities
  • Verify that they meet the necessary requirements for proper deployment into SWAMP servers for automated assessment
  • Make OWASP tools available through the SWAMP for users
  • Help promote OWASP tools through the SWAMP to verify vulnerabilities in web applications’ code
  • Automate the process of OWASP tools to verify Quality Assurance

Phase One: Verify OWASP tools can be tested and deployed through the SWAMP

The first objective during this phase is to verify that OWASP tools can be indeed build and deployed properly in SWAMP servers The tools to be included in this phase are Tools written in Java, C or C++ Requirements to deploy these tools in SWAMP are

  • Must work on Linux OS (Debian /Fedora/Red Hat/Scientific/Ubuntu)
  • Build script written in C++/C or be able to use a simple build code such as : Configure+Make, Cmake, Make for example or a custom script in C/C++

Phase Two: Promote the development of OWASP code analysis tools

Right now SWAMP program focuses on tools that can be deployed in JAVA, C++/C in a Linux environment, however it is in their plan to extend to other languages such as PHP, .NET or Ruby on Rails OWASP tools that focuses on Code analysis can play a big role here. In order to help these tools become part of the SWAMP program the following steps can help with this part:

  • Help develop OWASP tools to higher quality standards to be part of SWAMP code analysis tools
  • Explore the possibilities to obtain grants through DHS for these tools, therefore updating the quality to become part of the SWAMP analysis tools

Phase Three: Continuous and Retroactive automated testing through the SWAMP program

Once OWASP flagship projects are ready to be deployed and eventually, those tools that can execute code analysis for other languages than the ones supported by SWAMP right now, SWAMP environment can be used to help automate most of the testing and verification of code vulnerabilities in OWASP tools. At this phase, this becomes a retroactive process where SWAMP tools are used for code analysis of OWASP tools but at the same time OWASP tools become code analysis tools of the SWAMP.