Homeland Security gets into software security

Summary: It sounds unlikely, but the Homeland Security Agency is now providing an online, open-source code-testing suite with the unlikely name of SWAMP.

PORTLAND No, I am not making this up. At OSCon, The Department of Homeland Security (DHS), best known to you as the people checking up on you between the airport parking lot and your flight, quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP).

"Why," you ask?

Because Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code"

This is true, but the government has been using open-source software since before the phrase "open source," or even the earlier phrase, "free software" existed. Some of NASA's COSMIC free scientific code collection, for example, dates back to the 1960s and the Veterans Affairs' Veterans Health Information Systems and Technology Architecture (VistA), the first electronic health record (EHR) system, began in the early 1980s.

During my own time at NASA in the 1980s, Linux was introduced. Soon thereafter, the first Linux supercomputer architecture, Beowulf, was created at Goddard Space Flight Center (GSFC) in 1995. More recently, in 2010, the popular open-source cloud program OpenStack, got its start as a joint project between RackSpace and NASA.

So it is that government agencies have long both used and created "open-source" software. What's been missing, and what the SWAMP tries to provide, is a centralized way of checking the code for errors and security problems.

While SWAMP is funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, the University of Indiana, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project.

The SWAMP servers themselves are hosted at the Morgridge Institute in Madison, WI. At the Institute, the clustered servers are kept at a secure facility. The SWAMP cluster currently has 700 cores, 5TBs of RAM, and 100TBs of storage to meet the continuous assurance needs of multiple software and tool development projects. SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program.

These tools currently are:

Read more here:
Homeland Security gets into software security