Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing 67
cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.
Re:No thanks. (Score:4, Insightful)
Looks good to me (Score:4, Insightful)
WTF? (Score:4, Insightful)
Do the DHS seriously believe they have any credibility in this area?
At this point, I assume if they find any exploits they'll keep them secret and use them themselves.
Sorry guys, but once you became the enforcement arm for copyright, you lost all credibility.
Re:Looks good to me (Score:2, Insightful)
What a shame they have no credibility with the people that would benefit from this.
Re:Made by humans for humans. (Score:4, Insightful)
Why are the tools being run remotely, as opposed to, for instance, being all nicely packaged into an image I can download and boot from locally. I understand the benefits of keeping statistics as code improves, etc. but it seems that a "paranoid developer" mode would fit nicely with the mission of improving code security. Esp. since those developers tend to do a lot more NIH of basic parts.
Additionally, and more relevantly, some of my work is done on a laptop as I move around, and being able to do some Q/A work when away from the Internet would be useful.