We need better tools and easier access to... tools in order to improve software security
Madison, WI (PRWEB) July 14, 2014
Secure Decisions, a leading provider of assessment tools to enhance software security, is partnering with the Software Assurance Marketplace (SWAMP) to build a powerful and publicly accessible resource to improve the software that drives everyday life.
The SWAMP, implemented by a group of four research institutions and housed in the Morgridge Institute for Research, is funded by the Department of Homeland Security (DHS) S&T to advance software security practices by building a free facility with a diverse repository of assessment tools available for public and private industry use. It is powered by an advanced computing platform that supports continuous software assurance.
“We need better tools and easier access to these tools in order to improve software security,” says Miron Livny, the Morgridge Institute chief technology officer and director of the SWAMP. “There is a growing need for a framework that supports easy integration of tools and the processing of assessment results.”
The partnership with Secure Decisions, a division of New York-based Applied Visions, Inc., adds another powerful tool to the lineup. Secure Decisions is providing a customized version of their Code Dx® product to be distributed as part of the SWAMP. Code Dx is an important visualization tool that simplifies the remediation process by correlating results from multiple tools into a central platform.
“Adding Code Dx to the SWAMP infrastructure improves the remediation process by making the testing results much easier to consume for today’s software developers and security professionals,” says Kevin Greene, program manager for the DHS Science and Technology Cyber Security Division. “It’s well known that different software analysis tools have different strengths, and the SWAMP provides easy access to all of these tools combined with a powerful analysis platform to handle code of all sizes. Code Dx provides the most effective way to analyze and act on all the data while also reducing the number of false positives that typically plague software testers.”
The stakes are very high to improve software integrity for government and industry. Most of the major cases of breached security involve attacks on compromised software applications rather than the traditional attack vector on corporate networks. For example, a major vulnerability in OpenSSL known as “Heartbleed” potentially allows attackers to steal passwords and other private information from supposedly secure website servers. This vulnerability has necessitated a massive security response across the global IT community in recent months.
As more applications are being deployed via the Internet and delivered through wireless networks, the software applications themselves are more vulnerable to attack than ever, requiring the industry to take greater interest in ensuring the application code is resilient.
Livny says one important contribution of the SWAMP will be to make all the existing tools better through an open testing environment that facilitate controlled sharing. As the SWAMP adds new assessment tools to its repository, Secure Decisions will be able to ingest the disparate outputs from these tools and make them functional within Code Dx.
“We are constantly adding support for more open source software assurance tools and programming languages in Code Dx,” says Ken Prole, Principal Investigator at Secure Decisions. “It’s essential that we continue to expand the depth and breadth of Code Dx capabilities so the SWAMP and its technologies are always on the leading edge.”
Organizations that already have in-house software security tools and procedures can add the SWAMP resource as a supplement. It will eliminate the need for companies to invest in every relevant assessment tool because SWAMP’s mission is to stay on top of the field and add new tools, Livny says.
To learn more about using SWAMP resources, contact Program Manager Patrick Beyer at 608-316-4664, pbeyer(at)continuousassurance(dot)org.