Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing

cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.

Re:No thanks.

[jfdavis668]

If your system is open source, they can just go get your code. It would still be useful if they point out your problems.

Looks good to me

[Mostly a lurker]

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.

WTF?

[gstoddart]

Do the DHS seriously believe they have any credibility in this area?

At this point, I assume if they find any exploits they'll keep them secret and use them themselves.

Sorry guys, but once you became the enforcement arm for copyright, you lost all credibility.

Re:Looks good to me

[Anonymous Coward]

What a shame they have no credibility with the people that would benefit from this.

Re:Made by humans for humans.

[Actually, I do RTFA]

Why are the tools being run remotely, as opposed to, for instance, being all nicely packaged into an image I can download and boot from locally. I understand the benefits of keeping statistics as code improves, etc. but it seems that a "paranoid developer" mode would fit nicely with the mission of improving code security. Esp. since those developers tend to do a lot more NIH of basic parts.

Additionally, and more relevantly, some of my work is done on a laptop as I move around, and being able to do some Q/A work when away from the Internet would be useful.