The Homeland Security Department has the Car Wash and now the SWAMP to clean agency’s software of cybersecurity dirt. The Software Assurance Marketplace (SWAMP) is the latest effort to improve the quality and reliability of apps running on agency networks.
“We’re really looking at software analysis tools and in particular static and dynamic analysis tools, so we are funding work in the development of new tools for software analysis. Where the SWAMP comes in is it’s a marketplace of tool developers,” said Doug Maughan, the director of DHS’ Science and Technology Directorate’s Cybersecurity Division, in an exclusive interview with Federal News Radio. “If you think about a tool developer today, they might test their software package with one tool. They might. Not all of them do. So what we are doing in the SWAMP is providing an environment where software developers or people who are getting software from other places but would like to test it and validate it, and what is in the SWAMP are a number of tools. Some are open source. Some we have funded. We even have a number of commercial vendors who have put their commercial technologies into the SWAMP. So now I as a software developer can run my software against a large number of tools because every tool will do its analysis differently. If I run it against 10 different tools, it’s a much better analysis than if I run it against just one tool.”
He said software tool developers also benefit because the more their tool is used, the better they can hone it.
“Not only can we improve the quality of the software being written, we can now improve the quality of the tools being developed, because now I can do some analysis on tool A versus tool B versus tool C and provide that back to either the open source community or vendor and help them improve the quality of their tools,” Maughan said. DHS S&T and the Homeland Security Advanced Research Projects Agency (HSARPA) funded the creation of SWAMP by Morgridge Institutes for Research at the University of Wisconsin, Madison.
Software assurance is one of the toughest cyber problems facing the government today. The Government Accountability Office found in a 2012 report that installation of hardware or software with malware or just defective code are among the biggest risks associated with the IT supply chain.
The National Institute of Standards and Technology in June issued version 2 of its supply chain risk management guidance. In Special Publication 800-161, NIST said one of several foundational practices is to ensure agencies have a robust software quality control process.
Registered users only in the SWAMP
The challenge for many agencies is having the cost and expertise necessary to set up this robust process. Maughan said that is where DHS can help with SWAMP.
“There is no cost. It’s research infrastructure that we are providing to the community for testing and evaluating software. It’s been operational for about seven months, and we are already doing on average about 700 assessments per week of software packages that are available,” he said. “We are up to about 350 registered users that are using SWAMP that are a mix of government and academia and industry, and we believe it will continue to grow as the word gets out there as people starting to use it, and we will continue to improve the infrastructure to support the community.”
Maughan said DHS and its partners vet users who submit software assurance tools or those that put their apps through the SWAMP.
At the same time, he said the platform includes a security architecture that ensures the evaluation process of software titles isn’t out of the ordinary.
“We would like to think we have it orchestrated and architected well enough that if you are a bad guy trying to reverse engineer the system, we would be able to detect your behavior and be able to stop you from doing that,” he said. “As you know, nothing is perfect in security, but we have gone through the process and architecture and they are as secure as it can be.”
Maughan said S&T’s vision is that all software to be used on government networks must go through SWAMP first. He said S&T also is looking at other areas, including mobile apps and deeper supply chain threats than just software. DHS launched the Car Wash about a year ago to run mobile apps through a standard cyber oversight process. NIST also released version one of AppVet — a free, open source tool to vet mobile software.
“Can we build better tools so that the software developers are using more secure software practices in their development process?” Maughan asked. “One of the other areas we look at closely is bringing in open source tools and we also look at open source software. As the government and cost savings measures goes toward using more and more open source, how do we ensure that software is as good as it can be?”
“We try to ensure that anything DHS and the government are putting out there from an open source perspective don’t have any of these vulnerabilities,” Maughan said. “There is a really good connection between SWAMP and HOST from the standpoint of making sure whatever we fund and work at in the open source community is tied up closely to the software assurance capability as well.”
HOST is not a tool, but rather a platform that can be a repository to point the government to secure open source tools. It also can be a way to look at the processes to get open source into the government.
The third area under HOST is as an investment tool for existing or new open source projects that need a boost of security.
“I still think the government as a long way to go with respect to open source, even though you are seeing a little bit more of it,” Maughan said. “We’ve been working with an organization called GovReady, which is actually aimed at helping the government and the CIOs and CISOs be better educated on open source and its use in operational environments. That is where we are trying to take the program, to be that hub of open source in the federal government.”
Click here to listen to part 1 of Jason Miller’s interview with Doug Maughan and read the related article.