[Owasp-board] SWAMP - online resouce for OWASP projects

johanna curiel curiel johanna.curiel at owasp.org
Mon Sep 1 11:02:35 UTC 2014

Hi Irene

Here some main questions regarding  the SWAMP:

   - What exactly  is the SWAMP?
   - Who owns the SWAMP?
   - What kind of Static analysis code tools can be used in the SWAMP?
   - What kind of programming languages and OS are supported? (what will be
   supported in the future?)
   - Can anyone get an account?
   - Are the projects uploaded available to the public or do I have an
   option to set them private?
   - How does the SWAMP compare to other services like Coverity?



On Tue, Aug 26, 2014 at 2:09 PM, Landrum, Irene <
ILandrum at continuousassurance.org> wrote:

>  Hi Johanna,
>  This is very helpful.  Thank you for your input!  Please send us your
> questions and we will gladly answer them and create the FAQ with the
> hyperlink.
>  Please let me know if we can help with anything else.
>  Thanks,
>  Irene
>   From: johanna curiel curiel <johanna.curiel at owasp.org>
> Date: Tuesday, August 26, 2014 at 12:30
> To: "Landrum, Irene" <ILandrum at continuousassurance.org>
> Cc: OWASP Board List <owasp-board at lists.owasp.org>, "Beyer, Patrick" <
> PBeyer at continuousassurance.org>, Miron Livny <miron at cs.wisc.edu>, Barton
> Miller <bart at cs.wisc.edu>
> Subject: Re: SWAMP - online resouce for OWASP projects
>  Hi Irene,
>  I think once some other programming languages and features are added,it
> will help us even better with our internal review process.
>  I like the simplicity of it, the interface is very easy to learn, and
> most Java projects are quite easy to configure(especially the ones using
> maven builds), so I 'll keep on using it for this purpose. Also some of our
> C++ projects are also easy to configure and test here. For example one of
> my tests involves if the source code builds, as you can see, some projects
> have many different ways of building , some are not easy to configure for
> the Swap, like OWASP ZAP, but other ones are very smooth, like CRSFguard.
>  For me personally the challenge has been to be able to configure
> correctly some projects. Thank you for your help with the last
> configurations and helping me understand the platform much better.
>  I will be adding more projects into it, which require review.
>  Maybe we could work out some faq section with regards the swap. I
> think there are many project leaders that still do not understand the
> benefits and features of the platform. If I create this faq, could you
> answer the questions? I think this will make it more clear to them.
>  We could then create a hyperlink from the online resources section to
> a faq section.
>  Regards
> Johanna
> On Tuesday, August 26, 2014, Landrum, Irene <
> ILandrum at continuousassurance.org> wrote:
>>  Dear Johanna,
>> Thank you for the effort to collect this thoughtful input from the
>> leaders of the OWASP projects. We very much appreciate your effort and find
>> their comments very valuable as we continue to enhance and expand the
>> services offered by the SWAMP. Given that OWASP and SWAMP have a common
>> goal to improve the security of deployed software, the mutual commitment of
>> OWASP and SWAMP to open source software and the shared background of OWASP
>> and SWAMP as non-for-profit organizations, we need your feedback and will
>> continue to do our best to make the SWAMP a valuable resource to OWASP
>> software development projects.
>> Coverity is providing a valuable service to the open source community and
>> we are pleased to hear that OWASP projects are taking advantage of these
>> services. As you may know, Coverity started as a DHS sponsored project just
>> like the SWAMP. Some of us have been using Coverity for years to perform
>> daily assessments of one of our widely deployed open source projects. If
>> the OWASP project using scan.coverity does not see the value of using other
>> tools to augment the capabilities of Coverity, there is nothing the SWAMP
>> can offer such a project at this point in time. We hope that in the future
>> we will find a way to integrate Coverity into the SWAMP framework.
>> One of our objectives is to enable software projects to continuously
>> apply a family of tools throughout the life cycle of the software. The
>> SWAMP provides an infrastructure for a developer or security analyst to
>> continuously analyze a software package on multiple platforms
>> against multiple tools and view those assessment results in an integrated
>> interactive results viewer.  We offer a collection of tools and provide the
>> automation to run these tools against a software package and get an
>> integrated result. If a developer is using one tool, no matter whether it
>> is open source or commercial, the developer is limited to its particular
>> capabilities. The (growing) suite of tools that the SWAMP offers allows for
>> more comprehensive assessments of software. We will be happy to talk to
>> OWASP developers who are interested in using multiple tools.
>> While the publically available tools in the SWAMP are all open source, we
>> are in the process of incorporating several commercial tools into the
>> SWAMP. Some of these commercial tools will become available to the open
>> source community by the end of 2014.   As such, a developer will have
>> access to assessment results from both commercial and open source tools
>> integrated into one resource with access to an integrated results viewer
>> that will give the developer the capability to view tools weakness reports
>> side by side with integrated CWE data. We are hoping to have more
>> commercial tool vendors work out licensing agreements with the SWAMP that
>> will allow their use by open source developers, software assurance
>> researchers and educators.
>> As you know, tools are sensitive to the settings and options used when
>> they are run. Often, large false positive rates can be caused by improper
>> use of these settings.  The SWAMP team has worked to provide what we
>> believe is the most effective collection of settings, freeing the developer
>> from needing to understand the subtleties of each tool. Our team is also
>> available to discuss these settings with OWASP project leaders.
>> We also believe that the problem of many false positive findings can be
>> addressed by using these tools in the early stages (as early as possible)
>> of the project. This way, the project can establish a “base line” of
>> possible software defects and make sure through continuous assurance that
>> no new such possible findings are added as new code is added, replaced or
>> modified.
>> For developers that are using IDEs, we plan to shortly offer plugins that
>> will deliver software directly from the local development environment to
>> the SWAMP for assessment. We are also working on full integration of the
>> SWAMP with GitHub. Any information you can provide us to guide which IDEs
>> to support and how best to integrate the SWAMP with these IDEs will be most
>> welcome.
>>  All the major commercial tools monitor a program’s build (sometimes
>> referred to as compile) to determine how the tool should be applied. When
>> you run the tool, it is performing a build (compile) at that moment. The
>> SWAMP uses the same identical techniques as those used by the well-known
>> commercial tools. In fact, we are making our implementation of this
>> technology for monitoring a build (compile) available as an open source
>> software package to allow smaller tool groups to have the same advantages
>> as the established companies. Several groups are already testing beta
>> versions of this build (compile) monitoring package.
>> We recognize that getting software to compile in the SWAMP is an
>> additional step and thus introduces additional effort for the programmer.
>> We are more than happy to help programmers (as we recently demonstrated
>> with your projects) to assist developers with this step. Once the software
>> compiles in the SWAMP, the programmer has access to all the tools in our
>> repository and can easily share assessment results with other developers or
>> users of the software. Building the software in a different environment
>> also helps to identify dependencies and to enhance portability.
>> One of the main goals of SWAMP is to provide an open marketplace of
>> software packages and analysis tools, with the ability to share packages,
>> tools, and expertise with the entire software community.  Tool
>> developers can add their own tools to the SWAMP, test their tools against
>> public packages with known vulnerabilities, and view the results.  The
>> ultimate goal of the SWAMP is to promote continuous assurance practices and
>> to make it easier for the software community to adopt continuous assurance
>> practices.  We do this by providing the infrastructure at no-cost
>> and encouraging continuous software analysis with a growing number of tools
>> that complement the capabilities of each other.  We are looking forward to
>> continuing the dialogue with the OWASP community on ways to promote
>> continuous assurance practices and other joint activities that will
>> maximize our impact on the open source community.
>>  Thanks,
>>  Irene
>>  *Irene Landrum*
>>  *SWAMP Project*
>>  *Morgridge Institute for Research*
>> 330 North Orchard Street
>> Madison WI 53715
>>  *Email:* ilandrum at morgridge.org
>>  *Office:*  608.316.4114
>> *Cell:*      608.381.2608
>>  http://discovery.wisc.edu/morgridge/
>>  www.continuousassurance.org
>>   From: johanna curiel curiel <johanna.curiel at owasp.org>
>> Date: Thursday, August 21, 2014 at 9:52
>> To: "Landrum, Irene" <ILandrum at continuousassurance.org>
>> Cc: OWASP Board List <owasp-board at lists.owasp.org>
>> Subject: SWAMP - online resouce for OWASP projects
>>   Hi Irene,
>>  In our wiki page , we have a tab describing available resources to
>> improve the code of projects
>> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Online_Resources
>>  I have set a hyperlink to the SWAMP website. Let me know if you would
>> like to have another description beside the one I have added.
>>  Regards
>>  Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140901/c9f416d8/attachment-0001.html>

More information about the Owasp-board mailing list