[Owasp-board] SWAMP - online resouce for OWASP projects
johanna curiel curiel
johanna.curiel at owasp.org
Mon Sep 1 11:02:35 UTC 2014
Here some main questions regarding the SWAMP:
- What exactly is the SWAMP?
- Who owns the SWAMP?
- What kind of Static analysis code tools can be used in the SWAMP?
- What kind of programming languages and OS are supported? (what will be
supported in the future?)
- Can anyone get an account?
- Are the projects uploaded available to the public or do I have an
option to set them private?
- How does the SWAMP compare to other services like Coverity?
On Tue, Aug 26, 2014 at 2:09 PM, Landrum, Irene <
ILandrum at continuousassurance.org> wrote:
> Hi Johanna,
> This is very helpful. Thank you for your input! Please send us your
> questions and we will gladly answer them and create the FAQ with the
> Please let me know if we can help with anything else.
> From: johanna curiel curiel <johanna.curiel at owasp.org>
> Date: Tuesday, August 26, 2014 at 12:30
> To: "Landrum, Irene" <ILandrum at continuousassurance.org>
> Cc: OWASP Board List <owasp-board at lists.owasp.org>, "Beyer, Patrick" <
> PBeyer at continuousassurance.org>, Miron Livny <miron at cs.wisc.edu>, Barton
> Miller <bart at cs.wisc.edu>
> Subject: Re: SWAMP - online resouce for OWASP projects
> Hi Irene,
> I think once some other programming languages and features are added,it
> will help us even better with our internal review process.
> I like the simplicity of it, the interface is very easy to learn, and
> most Java projects are quite easy to configure(especially the ones using
> maven builds), so I 'll keep on using it for this purpose. Also some of our
> C++ projects are also easy to configure and test here. For example one of
> my tests involves if the source code builds, as you can see, some projects
> have many different ways of building , some are not easy to configure for
> the Swap, like OWASP ZAP, but other ones are very smooth, like CRSFguard.
> For me personally the challenge has been to be able to configure
> correctly some projects. Thank you for your help with the last
> configurations and helping me understand the platform much better.
> I will be adding more projects into it, which require review.
> Maybe we could work out some faq section with regards the swap. I
> think there are many project leaders that still do not understand the
> benefits and features of the platform. If I create this faq, could you
> answer the questions? I think this will make it more clear to them.
> We could then create a hyperlink from the online resources section to
> a faq section.
> On Tuesday, August 26, 2014, Landrum, Irene <
> ILandrum at continuousassurance.org> wrote:
>> Dear Johanna,
>> Thank you for the effort to collect this thoughtful input from the
>> leaders of the OWASP projects. We very much appreciate your effort and find
>> their comments very valuable as we continue to enhance and expand the
>> services offered by the SWAMP. Given that OWASP and SWAMP have a common
>> goal to improve the security of deployed software, the mutual commitment of
>> OWASP and SWAMP to open source software and the shared background of OWASP
>> and SWAMP as non-for-profit organizations, we need your feedback and will
>> continue to do our best to make the SWAMP a valuable resource to OWASP
>> software development projects.
>> Coverity is providing a valuable service to the open source community and
>> we are pleased to hear that OWASP projects are taking advantage of these
>> services. As you may know, Coverity started as a DHS sponsored project just
>> like the SWAMP. Some of us have been using Coverity for years to perform
>> daily assessments of one of our widely deployed open source projects. If
>> the OWASP project using scan.coverity does not see the value of using other
>> tools to augment the capabilities of Coverity, there is nothing the SWAMP
>> can offer such a project at this point in time. We hope that in the future
>> we will find a way to integrate Coverity into the SWAMP framework.
>> One of our objectives is to enable software projects to continuously
>> apply a family of tools throughout the life cycle of the software. The
>> SWAMP provides an infrastructure for a developer or security analyst to
>> continuously analyze a software package on multiple platforms
>> against multiple tools and view those assessment results in an integrated
>> interactive results viewer. We offer a collection of tools and provide the
>> automation to run these tools against a software package and get an
>> integrated result. If a developer is using one tool, no matter whether it
>> is open source or commercial, the developer is limited to its particular
>> capabilities. The (growing) suite of tools that the SWAMP offers allows for
>> more comprehensive assessments of software. We will be happy to talk to
>> OWASP developers who are interested in using multiple tools.
>> While the publically available tools in the SWAMP are all open source, we
>> are in the process of incorporating several commercial tools into the
>> SWAMP. Some of these commercial tools will become available to the open
>> source community by the end of 2014. As such, a developer will have
>> access to assessment results from both commercial and open source tools
>> integrated into one resource with access to an integrated results viewer
>> that will give the developer the capability to view tools weakness reports
>> side by side with integrated CWE data. We are hoping to have more
>> commercial tool vendors work out licensing agreements with the SWAMP that
>> will allow their use by open source developers, software assurance
>> researchers and educators.
>> As you know, tools are sensitive to the settings and options used when
>> they are run. Often, large false positive rates can be caused by improper
>> use of these settings. The SWAMP team has worked to provide what we
>> believe is the most effective collection of settings, freeing the developer
>> from needing to understand the subtleties of each tool. Our team is also
>> available to discuss these settings with OWASP project leaders.
>> We also believe that the problem of many false positive findings can be
>> addressed by using these tools in the early stages (as early as possible)
>> of the project. This way, the project can establish a “base line” of
>> possible software defects and make sure through continuous assurance that
>> no new such possible findings are added as new code is added, replaced or
>> For developers that are using IDEs, we plan to shortly offer plugins that
>> will deliver software directly from the local development environment to
>> the SWAMP for assessment. We are also working on full integration of the
>> SWAMP with GitHub. Any information you can provide us to guide which IDEs
>> to support and how best to integrate the SWAMP with these IDEs will be most
>> All the major commercial tools monitor a program’s build (sometimes
>> referred to as compile) to determine how the tool should be applied. When
>> you run the tool, it is performing a build (compile) at that moment. The
>> SWAMP uses the same identical techniques as those used by the well-known
>> commercial tools. In fact, we are making our implementation of this
>> technology for monitoring a build (compile) available as an open source
>> software package to allow smaller tool groups to have the same advantages
>> as the established companies. Several groups are already testing beta
>> versions of this build (compile) monitoring package.
>> We recognize that getting software to compile in the SWAMP is an
>> additional step and thus introduces additional effort for the programmer.
>> We are more than happy to help programmers (as we recently demonstrated
>> with your projects) to assist developers with this step. Once the software
>> compiles in the SWAMP, the programmer has access to all the tools in our
>> repository and can easily share assessment results with other developers or
>> users of the software. Building the software in a different environment
>> also helps to identify dependencies and to enhance portability.
>> One of the main goals of SWAMP is to provide an open marketplace of
>> software packages and analysis tools, with the ability to share packages,
>> tools, and expertise with the entire software community. Tool
>> developers can add their own tools to the SWAMP, test their tools against
>> public packages with known vulnerabilities, and view the results. The
>> ultimate goal of the SWAMP is to promote continuous assurance practices and
>> to make it easier for the software community to adopt continuous assurance
>> practices. We do this by providing the infrastructure at no-cost
>> and encouraging continuous software analysis with a growing number of tools
>> that complement the capabilities of each other. We are looking forward to
>> continuing the dialogue with the OWASP community on ways to promote
>> continuous assurance practices and other joint activities that will
>> maximize our impact on the open source community.
>> *Irene Landrum*
>> *SWAMP Project*
>> *Morgridge Institute for Research*
>> 330 North Orchard Street
>> Madison WI 53715
>> *Email:* ilandrum at morgridge.org
>> *Office:* 608.316.4114
>> *Cell:* 608.381.2608
>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>> Date: Thursday, August 21, 2014 at 9:52
>> To: "Landrum, Irene" <ILandrum at continuousassurance.org>
>> Cc: OWASP Board List <owasp-board at lists.owasp.org>
>> Subject: SWAMP - online resouce for OWASP projects
>> Hi Irene,
>> In our wiki page , we have a tab describing available resources to
>> improve the code of projects
>> I have set a hyperlink to the SWAMP website. Let me know if you would
>> like to have another description beside the one I have added.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board