Software Assurance Marketplace (SWAMP) Increases Scope with Python Functionality and Security Scanning of Code Snippets

Share Article

Analyzing Smaller Pieces Of Code Simplifies Adding Security Testing Into The SDLC While Pylint, Bandit and Flake8 Static Analysis Tools Enable Python Software Security Testing

Logo for Software Assurance Marketplace

As application attacks increase in number and severity, all computer science graduates will need to learn how to design secure software

The Software Assurance Marketplace (SWAMP), a high performance computing platform designed to reduce the cost and complexity challenges of software assurance testing, today announced that software written in Python, one of the most popular programming languages (1), can now be scanned for security weaknesses in the SWAMP at no cost. The Pylint, Bandit and Flake8 static analysis tools have also been added to the SWAMP, enabling Python source code to be tested for vulnerabilities in addition to the testing capabilities already built into the SWAMP for C/C++, Java source and Java bytecode software. Furthermore, the SWAMP has simplified building security into the Software Development Life Cycle (SDLC) by offering the user a no compile option for executing assessments in the SWAMP. As a result, the SWAMP’s powerful cloud platform encourages the adoption of software assurance best practices by providing an extensive array of software security testing tools, a comprehensive integrated results viewer that collates the weaknesses found by all supported tools, and 400 software packages with known vulnerabilities to help tool developers improve their software assurance tools.

“As the numbers of software applications on the web have exponentially increased, they have become the prime attack vector for today’s organized crime organizations; however, despite this reality, the majority of security investments are still being made at the infrastructure and network security level,” said SWAMP Product Manager Patrick Beyer. “Although protecting the network and the host layers is still important, these types of controls provide nearly zero protection against application attacks. Security professionals understand that the biggest problem in computer security is a software security issue. What’s needed is more secure software, NOT more security software; however, getting to that point requires a significant change in how organizations approach security today.”

Making software more secure must be done quickly, because vulnerabilities are increasing. According to the OpenSecurityFoundation, there were 2,164 incidents reported in 2013 that exposed 822 million records with 27 of those incidents exposing more than one million records (2.) According to the National Vulnerability Database – the de facto repository of standards-based vulnerability management data for open-source and commercial software – 7,937 vulnerabilities were reported in 2014, which is 2,000 more vulnerabilities than reported in 2013 (3)! David Rice, a former cryptographer for the Navy and National Security Agency (NSA) and also the author of “Geekonomics: The Real Cost of Insecure Software,” says that the total economic cost of security flaws in software is around $180 billion U.S. dollars a year (as reported by Forbes.com.) (4)

“Clearly, the need for building more secure applications is a vital survival mechanism that must be addressed to preserve our digital way of life,” Beyer added. “Statistics like these are exactly why DHS created the SWAMP to strongly encourage the adoption of software assurance capabilities in the industry. To stay ahead of the sophistication demonstrated by today’s organized crime organizations, the SWAMP will continue to grow in its capabilities, and adding Python, a popular high-level programming language, along with the Pylint, Bandit and Flake8 Python static analysis tools, makes the SWAMP an even more critical weapon in today’s software security battle.”

Python's unique blend of simplicity and power excels in a wide range of software development tasks, including the construction of web applications, complex integrated business solutions, and large desktop applications. Its high-level programming also enables programmers to use natural language elements which are usually easier to use and can automate or entirely hide significant areas of computing systems, making the process of developing a program simpler and more understandable relative to a lower-level programming language.

In fact, Python already serves as the basis of many mission-critical applications such as Google, The New York Stock Exchange, CERN, Mozilla, YouTube, Yahoo! and NASA .(5) According to the Coverity Software Integrity Rating system, an objective code rating standard that also began as a Department of Homeland Security project in 2008, Python was given the highest quality level possible, because it has no high-impact defects, and compared to 99 percent of all other open-source software projects analyzed, the high quality of the Python code far outpaced that of like-sized commercial offerings. (6) In addition to Python, the SWAMP can also assess programs written in Java and C/C++ and supports nine Unix/Linux-based platforms. Support for PHP and C#, as well as Android, Macintosh, and Windows platforms, will be added to the SWAMP shortly.

The SWAMP incorporated the Pylint, Bandit and Flake8 static analysis tools into its online toolbox to enable software developers to locate flaws or weaknesses in Python applications. Pylint, a source code bug and quality checker that looks for programming errors and helps to enforce coding standards, is a free software tool distributed under the GNU Public License. (7) Bandit is a product of the OpenStack Security Group and provides a framework for performing security analysis of Python source code applications by utilizing the ast module from the Python standard library. (8) This allows users to define custom tests for Python syntax nodes. Flake8 is a Python static analysis tool that incorporates the pep8 and PyFlakes static analysis tools to further assess Python code for weaknesses. Pep8 validates Python code for conformance to the PEP 8 style guide written by the Python Software Foundation, widely considered to be the best-practice handbook for the installation, configuration and usage of Python in the industry. (9) The PyFlakes tool can quickly check logical errors in Python source code, because it does not have to execute the modules to check them.

Pylint, Bandit and Flake8 complement the open-source static analysis tools already implemented in the SWAMP which include FindBugs, PMD, Cppcheck, Clang and Clang Static Analyzer, GCC, Google’s error-prone, and Checkstyle. The SWAMP also recently announced partnerships with Veracode, Parasoft, Red Lizard and GrammaTech, which will result in these commercial software security tools being added to the SWAMP. Static analysis tools look directly at the source code to analyze its structure and to discover security vulnerabilities. Tools like these are used by the U.S. Food and Drug Administration (FDA) to test software that runs medical devices.(10)

The SWAMP has also simplified the ability for developers to test smaller snippets of software by removing the need to build applications prior to testing. As a result, it is easier to build security into the process of building the application, called the Software Development Life Cycle (SDLC). In the past, application security was not looked at until after an application was built. By adding security into the SDLC process, the SWAMP can be used to provide vulnerability data as the application is being built, enabling developers to assess and fix code continuously throughout the SDLC. Performing continuous Software Assurance in this manner is critical to match the increasingly fast pace of development resulting from new Agile development methodologies which deliver smaller and more rapid code changes.

“In addition to being able to build security into an application throughout its life cycle, being able to test smaller snippets of code makes the SWAMP an excellent resource for today’s educators to be able to teach their students secure coding practices,” Beyer said. “It’s an unfortunately reality that most computer science graduates never learn this skill, but as application attacks increase in number and severity, all computer science graduates will need to learn how to design secure software.”

Providing today’s educators with the resources to teach their students the skills needed to navigate in a software-driven society is another step forward in fulfilling the SWAMP’s vision to transform the software ecosystem through better software assurance. From learning how to write more secure code to discovering and mitigating software application vulnerabilities, the SWAMP is a no-cost resource that both high school and college educators are starting to use to help today’s students learn more about software security. The SWAMP has a dedicated team created specifically to work with educators. Educators are encouraged to contact SWAMP staff at swamp(AT)continuousassurance.org for specific guidance on how to incorporate the SWAMP into their curricula.

Hosted at the Morgridge Institute for Research in Madison, Wisconsin, the SWAMP is run by the Morgridge Institute for Research and three academic institutions with a team that offers deep expertise in software assurance, security, open-source software development, national distributed facilities, and identity management. A state-of-the-art, secure facility with 700 cores, 5 TB of RAM, and 100 TB of HDD, the SWAMP uses advanced networking capabilities to meet the continuous assurance needs of multiple software and tool development projects.

ABOUT THE SWAMP
The SWAMP (Software Assurance Marketplace) is a Department of Homeland Security-funded facility designed to reduce the cost and complexity challenges of software assurance testing. The SWAMP consists of a no-cost security testing platform that offers high throughput computing services combined with a comprehensive array of software security testing tools. The SWAMP also includes a broad library of open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. All SWAMP activities performed by users are confidential, although sharing is encouraged to create a collaborative platform for innovation. The SWAMP was funded to advance cybersecurity, protect critical infrastructures, and improve the reliability of the open-source software used extensively throughout the software community. The SWAMP is a joint project run by the Morgridge Institute for Research in Madison, Wisconsin; Indiana University; the University of Illinois at Urbana-Champaign; and the University of Wisconsin-Madison. For more information, please contact the SWAMP at http://www.continuousassurance.org.

Footnotes:

1.    Published on Inferno Development on 2/18/11 at infernodevelopment.com/python-becoming-most-popular-programming-language
2.    Published in February of 2014 by Risk Based Security in “An Executive’s Guide to 2013 Data Breach Trends,” at riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf
3.    Pulled from the National Vulnerability Database table at web.nvd.nist.gov/view/vuln/statistics-results?adv_search=true&cves=on
4.    Published by Forbes Magazine on 6/26/2008 at forbes.com/2008/06/26/rice-cyber-security-tech-security-cx_ag_0626rice.html
5.    Wikipedia names Google, Yahoo!, CERN and NASA as organizations that use Python at en.wikipedia.org/wiki/Python_(programming_language,) Roan Hidayat’s blog says that the New York Stock Exchange uses Python at https://rhdblog.wordpress.com/2007/07/02/the-new-york-stock-exchange-nyse-and-python/ and Coverity names Mozilla and YouTube as Python users at coverity.com/press-releases/coverity-finds-python-sets-new-level-of-quality-for-open-source-software/
6.    Coverity announced that “the 2012 Scan Report found an average defect density of .69 for open source software projects that leverage the Coverity Scan service, as compared to the accepted industry standard defect density for good quality software of 1.0. Python’s defect density of .005 significantly surpasses this standard, and introduces a new level of quality for open source software” at coverity.com/press-releases/coverity-finds-python-sets-new-level-of-quality-for-open-source-software/ and announced that “compared to 99% of all software projects, Python has (an) extremely low defect density which reflects their commitment to quality” at http://www.coverity.com/search-results/?q=%2C+the+high+quality+of+the+Python+code+far+outpaced+that+of+like-sized+commercial+offerings&sa=Submit.]
7.    Published by the Python Software Foundation at pypi.python.org/pypi/pylint
8.    Published on the Bandit Wiki at wiki.openstack.org/wiki/Security/Projects/BanditPublished at docs.python-guide.org/en/latest/
9.    The Pep8 Style Guide is published by the Python Software Foundation at python.org/dev/peps/pep-0008/#introduction
10.    FDA regulatory guidance says that “software testing is one of many verification activities intended to confirm that software development output meets its input requirements. Other verification activities include various static and dynamic analyses, code and document inspections, walkthroughs, and other techniques” which is published on the FDA website at fda.gov/RegulatoryInformation/Guidances/ucm085281.htm#_Toc51723

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Robin Lutchansky

Allyson Miller
Follow us on
Visit website