Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing

cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.

Re:No thanks.

[jfdavis668]

If your system is open source, they can just go get your code. It would still be useful if they point out your problems.

Re:

[jfdavis668]

Any information NOT provided to a government entity can also be used against you. What difference does it make? Unless your code is designed to hack into bank systems and steal account information, I don't see the difference it would make.

No thanks

[Dishwasha]

The NSA is already proactively doing this for me.

how about no

[Anonymous Coward]

I trust the DHS as much as I trust the NSA.

Looks good to me

[Mostly a lurker]

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.

Re:

[Anonymous Coward]

What a shame they have no credibility with the people that would benefit from this.

Re:

[disposable60]

Or with anyone not benefiting directly from their vendor base's campaign contributions to your congresscritters.
Oh, and the FNC audience.

Re:

[aztracker1]

For those, like yourself, that don't already know CERT [us-cert.gov] is now under DHS. CERT has some pretty big credibility.

Re:

[some old guy]

CERT had some pretty big credibility.

FTFY

Re:

[jasno]

Actually, my first thought is why isn't the NSA doing this?

Securing our nation's information infrastructure is one of their core missions(along with spying on OTHER nations, which I also think they should be doing, instead of spying on US). They have the talent to be able to do it effectively.

Re:

[Zero__Kelvin]

"Actually, my first thought is why isn't the NSA doing this?

Actually, my first thought was that they are, and that they're calling their initiative SWAMP Thing. Perhaps you missed the stories of agencies performing the tasks that others cannot and then "sharing" their data?

Re:

[jasno]

I had a feeling someone would say something like this...

According to TFS, the program is for open source code. You know, the code that is already open and scannable by a web crawler. If the NSA wanted to do this for nefarious purposes(and I'm sure they do), they would have(and probably have) started their own program years ago. They don't need you to upload your open source project for them.

I'm willing to bet the NSA has all the closed-source software source they want as well. I doubt my company's shitt

Re:

[Zero__Kelvin]

You should have paid more attention. This allows, at a minimum, them to not search the whole internet searchning for code. The proles will bring it to them! Why pay someone to look all over the internet for FOSS code and go through the work of pulling it to their servers, when trusting morons will push it for them?

"You know, the code that is already open and scannable by a web crawler"

Have you ever tried to write a Webcrawler that will crawl the internet and differentiate code from everything else there,

Re:

[suutar]

Because "be able to attack others" always winds up being a higher priority than "keep others from attacking us" in a dual-mission agency. It goes along with "the best defense is a good offense" and such mindsets, and it sounds cooler when you're selling your budget to the oversight committee.

Re:

[Zero__Kelvin]

What makes you say that? You seem to be assuming that they are both competent and well meaning. These are two assumptions that are specious at best. Somewhere there are some DHS droids laughing their ass off: can you believe it. We even called it SWAMP and the morons still did the work of ferreting out software to find holes in for us!"

I almost don't feel sorry for the people stupid enough to fall for this scam.

Re:

[arglebargle_xiv]

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.

Barely. If you look at what they're offering [continuousassurance.org] it's FindBugs, clang, gcc, and cppcheck. Completely bog-standard tools that anyone should be using anyway, but they're being paid $23M taxpayer dollars for it. Shee-it, I could do the same thing with $10K to cover the cost of renting some EC2 space, and I'll spend the remaining $22.99M on coke and hookers (seriously, how can they have spent $23M on this? One person could set it up in a few hours, the only constraint is how many VMs you need to spin up if lots

Re:

[marka63]

It saves the government money to consolidate the checking to one place. Otherwise every department would need to do the checking themselves.

By doing this continuously you end up with releases which are free of known errors.

Re:

[arglebargle_xiv]

By doing this continuously you end up with releases which are free of known errors.

Weeellll... you end up with something that's been run through gcc -wall, which is a long way from "free of known errors". Now admittedly "free of known errors" is a nice circular definition meaning "free of things gcc warns about", but even then it's not necessarily the case, there's plenty of code that ships with avalanches of warnings when you build it, but no-one's bothered fixing it up.

At best, you get something that doesn't produce warnings in gcc and clang. At worst you get code that hasn't been chan

Re:

[marka63]

Actually you get something that has passed several different analyses.

Silencing "gcc -Wall" is a good thing. Modern gcc versions catch lots of errors. Add to that clang static analysis and others you get pretty reasonable error detection which is what they are aiming for.

No Windows or C# support yet

[xxxJonBoyxxx]

It's a neat project covering C, C++, and Java and a little Objective C and Javascript, but it doesn't cover C# or Windows yet. (https://continuousassurance.org/tool-selection/)

Unfortunately, in my world C#/Windows is where a lot of the business-facing open source action is, especially with the advent of NuGet.

For widely used open source, great. I'll use it.

[raymorris]

When I write open source software in C, and expect it to be widely distributed, I may use the service.
I wouldn't submit PROPRIETARY software, probably, but code I submit to Apache or something like that isn't exactly. If NSA or someone reacts to analyze the Apache source, they'll do that without me submitting it. By running static analysis on my code, I can learn about potential issues and fix them.

typos

[raymorris]

When I write open source software in C, and expect it to be widely distributed, I may use the service.
I wouldn't submit PROPRIETARY software, probably, but code I submit to Apache or something like that isn't exactly secret. If NSA or someone wants to analyze the Apache source, they'll do that without me submitting it. By running static analysis on my code, I can learn about potential issues and fix them.

Re:

[Actually, I do RTFA]

I think it's probably a good idea to do this to your code even if you don't play on widely distributing it. It can help identify errors in your coding style/skillset. And you know what they say about a stitch in time...

For widely used open source, great. I'll use it.

[NoFlexZone]

Ray Morris... exactly. People are so closed minded. You don't think NSA already know the backdoors and vulnerabilities in popular open-source packages.? lol

WTF?

[gstoddart]

Do the DHS seriously believe they have any credibility in this area?

At this point, I assume if they find any exploits they'll keep them secret and use them themselves.

Sorry guys, but once you became the enforcement arm for copyright, you lost all credibility.

Re:

[Anonymous Coward]

At this point, I assume if they find any exploits they'll keep them secret and use them themselves.

Huh? If it is about open source, they can just download any project and still do that. As a matter of fact, harvesting open source software for vulnerabilities is something which agencies like NSA do all the time.

Re:

[93 Escort Wagon]

I'm not sure why you're conflating your understandable disgust over the current state of copyright litigation in the US with issues related to code integrity. There's not exactly a lot of common ground there.

Now if you had mentioned DHS' cozy relationship with the NSA - an organization that most of us expect is actively subverting both code and the standards we rely on - that would make more sense.

Really!

[Anonymous Coward]

Soon it will be illegal to use open source unless it is verified by DHS.

What they're not telling you

[Joe Gillian]

What DHS isn't telling you is that they're secretly submitting anything given to them via SWAMP to a secret NSA partner program known as SHREK (Security Holes for Recapturing Encryption Keys) and the FBI's version of the same program, known as DONKEY (Domestic Onion-Router Key Capture) which will attempt to overthrow the TOR project.

The real question is, what is anyone doing putting their code in the SWAMP?

Re:

[Zero__Kelvin]

"... known as DONKEY (Domestic Onion-Router Key Capture)

That would be DONKEY Capture, actually.

QA

[jones_supa]

Quality assurance is the #1 thing that open source software needs in spades. There's a lots of buggy stuff out in the OSS world. Sure, it is mildly nauseating that DHS is the one doing this, but still I am all for it.

Re:

[antdude]

I agree. I try to help out by reporting issues that I run into, but I can't do this fulltime since I already have a paying SQA job. ;)

QA

[NoFlexZone]

This will be eventually transitioned to the community to maintain. Think about it... much of software used in government and critical infrastructure is now relying on open-source components. The SWAMP is a response from DHS that says.. software security is a huge problem ... here is a resource to help improve software development activities and raise the quality of tools used to detect bugs and weaknesses.

Coverity

[__aapopf3474]

I trust Coverity's Scan [coverity.com] program far more than I'll trust the organization that continues to promote security theater. DHS has no business in this area. This is typical over expansion of a bloated bureaucracy.

Re:

[Zero__Kelvin]

Agreed:

1) Create a program, and call it SWAMP
2) Look for problems in the code that is sure to be buggy, as competent developers would never submit code
3) Announce that OMFG, Open Source is full of holes!
4) Watch more people stay with Windows due to the misinformation
5) Power Profit

Look Ma! No ???? step!

What exactly stops them from gathering their own FOSS software? See step 2.

Re:

[Anonymous Coward]

This is just another tool like Coverity, funded by the .gov. There's nothing wrong with it. And competent developers *will* submit code, because competent developers realize that no matter how competent you are and how much you focus on writing correct code, mistakes are inevitable and static analysis tools help mitigate the risk of those mistakes. Competent developers are already using Coverity, and they'll probably sign up for this as well in hopes that there is some non-overlap in the bugs the two sit

Re:

[Kiwikwi]

Sorry to break it to you, but Coverity's free-open source scanning was originally funded by the DHS [coverity.com]. :-)

After the DHS grant expired in 2009, Coverity continued the service pro bono.

This new program seems like a step back, though. Now, if the DHS was instead investing in improving the open-source tools, it would make sense.

Re:

[__aapopf3474]

Right you are! In my defense, I think contracting this out to Coverity was one of the rare things that the DHS did that was correct, or at least no horrifically incorrect. I see the DHS as an overgrown bureaucracy that is antithetical to our constitutional rights, especially the fourth amendment (searches). Bureaucracies need to grow to cover up their inefficiencies. Don't get me started on the TSA... Thanks for the correction...

Re:

[Kiwikwi]

Well, considering the budget of the DHS, they're going to do the right thing once in a while, purely by accident. ;-)

Re:

[NoFlexZone]

That's the plan is to try and raise the bar of open source tools. Actually, there is a use case to support to vendors to bring their tool and run their tool against a wide range of software packages and test cases in the SWAMP. The goal is to create better performing tools and improve tool coverage. I think the SWAMP is an excellent idea.

what a gift!

[Cardoor]

hey ya'll - i know these guys have been trying to invade us and everything, but look.. they're nowhere to be seen, and they've left us this SWEET giant wooden horse! i don't know about you, but im thinking it's partytime!! open up them gates and roll that baby in!!

Made by humans for humans.

[zeroeth]

<tt>I worked on this project. You should glance at who is involved before donning the tinfoil hats. https://continuousassurance.org/about-us/the-team/<br><br>It's an education grant with several phd's who study various CS security subjects (fuzzing, dynamic, static analysis). Built by a bunch of nice nerds employed by the Morgridge Institute http://discovery.wisc.edu/home/morgridge/morgridge.cmsx which is part of University of Wisconsin Madison.<br><br>QA/Testing is the black s

Re:Made by humans for humans.

[Actually, I do RTFA]

Why are the tools being run remotely, as opposed to, for instance, being all nicely packaged into an image I can download and boot from locally. I understand the benefits of keeping statistics as code improves, etc. but it seems that a "paranoid developer" mode would fit nicely with the mission of improving code security. Esp. since those developers tend to do a lot more NIH of basic parts.

Additionally, and more relevantly, some of my work is done on a laptop as I move around, and being able to do some Q/A work when away from the Internet would be useful.

Re:

[zeroeth]

<tt>The SWAMP is currently just one site, but their eventual goal is that you can install and run it on your own internally, or however you see fit.</tt>

Made by humans for humans.

[NoFlexZone]

Finally someone with commonsense. The Chief Scientist of the SWAMP is the "father of Fuzzing", Barton Miller.

DHS is many different agencies - Coast Guard, FEMA

[raymorris]

> Seems the left hand doesn't know what the right hand is doing, or wants!

DHS includes a LOT of hands that don't know what the others are doing. This is a high-level overview of a few of the major sections within DHS:
http://www.dhs.gov/xlibrary/as... [dhs.gov]

You'll notice it includes agencies as diverse as the Coast Guard, FEMA, health stuff ...

The $60 billion budget for all of the different agencies within DHS is 10% of the total non-defense operational budget of the entire government. So anything the governme

Okay

[DaMattster]

Why would anyone voluntarily help the US Government spy on its people. Fuck Uncle Sam! I won't do anything to help big brother.

DHS sucks balls

[AndyKron]

Anybody who trusts the Department of Homeland Security is a fucking idiot.

No new tools. Low-budget operation

[Animats]

All they're offering are some existing tools [continuousassurance.org], ones you can get for free. The main ones are the Clang static analyzer [llvm.org] and Cppcheck [sourceforge.net]. They're not offering free access to some of the better, and expensive, commercial tools.

Cppcheck is basically a list of common errors, expressed as rules with regular expressions. Clang is a little more advanced, but it's still looking for a short list of local bugs. [llvm.org] Neither will detect all, or even most, buffer overflows. They'll detect the use of "strcpy", but not a wrong size to "strncpy".

No new tools. Low-budget operation

[NoFlexZone]

Commercial tools are just as bad as open-source. Look at heartbleed, none of the tools found that weakness that led to heartbleed. You have to understand the premise behind the project before making assumptions. There will be commercial tools being offered soon!!!

Metadata

[ThatsNotPudding]

It's about gathering even more metadata about the operators and rat lines within the most dangerous terrorist cell of all: F/OSS (It even *sounds* like ISIS!).

Maybe A Different Tactic?

[LifesABeach]

As a Freedom of Information Act Request; have the NSA offer user access ones phone calls? In other words, be a part of the solution...