Software Assurance Marketplace (SWAMP) Increases Scope with Python Functionality and Security Scanning of Code Snippets

Madison,Wisconsin (PRWEB) March 03, 2015

The Software Assurance Marketplace (SWAMP), a high performance computing platform designed to reduce the cost and complexity challenges of software assurance testing, today announced that software written in Python, one of the most popular programming languages (1), can now be scanned for security weaknesses in the SWAMP at no cost. The Pylint, Bandit and Flake8 static analysis tools have also been added to the SWAMP, enabling Python source code to be tested for vulnerabilities in addition to the testing capabilities already built into the SWAMP for C/C++, Java source and Java bytecode software. Furthermore, the SWAMP has simplified building security into the Software Development Life Cycle (SDLC) by offering the user a no compile option for executing assessments in the SWAMP. As a result, the SWAMPs powerful cloud platform encourages the adoption of software assurance best practices by providing an extensive array of software security testing tools, a comprehensive integrated results viewer that collates the weaknesses found by all supported tools, and 400 software packages with known vulnerabilities to help tool developers improve their software assurance tools.

As the numbers of software applications on the web have exponentially increased, they have become the prime attack vector for todays organized crime organizations; however, despite this reality, the majority of security investments are still being made at the infrastructure and network security level, said SWAMP Product Manager Patrick Beyer. Although protecting the network and the host layers is still important, these types of controls provide nearly zero protection against application attacks. Security professionals understand that the biggest problem in computer security is a software security issue. Whats needed is more secure software, NOT more security software; however, getting to that point requires a significant change in how organizations approach security today.

Making software more secure must be done quickly, because vulnerabilities are increasing. According to the OpenSecurityFoundation, there were 2,164 incidents reported in 2013 that exposed 822 million records with 27 of those incidents exposing more than one million records (2.) According to the National Vulnerability Database the de facto repository of standards-based vulnerability management data for open-source and commercial software 7,937 vulnerabilities were reported in 2014, which is 2,000 more vulnerabilities than reported in 2013 (3)! David Rice, a former cryptographer for the Navy and National Security Agency (NSA) and also the author of Geekonomics: The Real Cost of Insecure Software, says that the total economic cost of security flaws in software is around $ 180 billion U.S. dollars a year (as reported by (4)

Clearly, the need for building more secure applications is a vital survival mechanism that must be addressed to preserve our digital way of life, Beyer added. Statistics like these are exactly why DHS created the SWAMP to strongly encourage the adoption of software assurance capabilities in the industry. To stay ahead of the sophistication demonstrated by todays organized crime organizations, the SWAMP will continue to grow in its capabilities, and adding Python, a popular high-level programming language, along with the Pylint, Bandit and Flake8 Python static analysis tools, makes the SWAMP an even more critical weapon in todays software security battle.

Python’s unique blend of simplicity and power excels in a wide range of software development tasks, including the construction of web applications, complex integrated business solutions, and large desktop applications. Its high-level programming also enables programmers to use natural language elements which are usually easier to use and can automate or entirely hide significant areas of computing systems, making the process of developing a program simpler and more understandable relative to a lower-level programming language.

In fact, Python already serves as the basis of many mission-critical applications such as Google, The New York Stock Exchange, CERN, Mozilla, YouTube, Yahoo! and NASA .(5) According to the Coverity Software Integrity Rating system, an objective code rating standard that also began as a Department of Homeland Security project in 2008, Python was given the highest quality level possible, because it has no high-impact defects, and compared to 99 percent of all other open-source software projects analyzed, the high quality of the Python code far outpaced that of like-sized commercial offerings. (6) In addition to Python, the SWAMP can also assess programs written in Java and C/C++ and supports nine Unix/Linux-based platforms. Support for PHP and C#, as well as Android, Macintosh, and Windows platforms, will be added to the SWAMP shortly.

The SWAMP incorporated the Pylint, Bandit and Flake8 static analysis tools into its online toolbox to enable software developers to locate flaws or weaknesses in Python applications. Pylint, a source code bug and quality checker that looks for programming errors and helps to enforce coding standards, is a free software tool distributed under the GNU Public License. (7) Bandit is a product of the OpenStack Security Group and provides a framework for performing security analysis of Python source code applications by utilizing the ast module from the Python standard library. (8) This allows users to define custom tests for Python syntax nodes. Flake8 is a Python static analysis tool that incorporates the pep8 and PyFlakes static analysis tools to further assess Python code for weaknesses. Pep8 validates Python code for conformance to the PEP 8 style guide written by the Python Software Foundation, widely considered to be the best-practice handbook for the installation, configuration and usage of Python in the industry. (9) The PyFlakes tool can quickly check logical errors in Python source code, because it does not have to execute the modules to check them.

Pylint, Bandit and Flake8 complement the open-source static analysis tools already implemented in the SWAMP which include FindBugs, PMD, Cppcheck, Clang and Clang Static Analyzer, GCC, Googles error-prone, and Checkstyle. The SWAMP also recently announced partnerships with Veracode, Parasoft, Red Lizard and GrammaTech, which will result in these commercial software security tools being added to the SWAMP. Static analysis tools look directly at the source code to analyze its structure and to discover security vulnerabilities. Tools like these are used by the U.S. Food and Drug Administration (FDA) to test software that runs medical devices.(10)

The SWAMP has also simplified the ability for developers to test smaller snippets of software by removing the need to build applications prior to testing. As a result, it is easier to build security into the process of building the application, called the Software Development Life Cycle (SDLC). In the past, application security was not looked at until after an application was built. By adding security into the SDLC process, the SWAMP can be used to provide vulnerability data as the application is being built, enabling developers to assess and fix code continuously throughout the SDLC. Performing continuous Software Assurance in this manner is critical to match the increasingly fast pace of development resulting from new Agile development methodologies which deliver smaller and more rapid code changes.

In addition to being able to build security into an application throughout its life cycle, being able to test smaller snippets of code makes the SWAMP an excellent resource for todays educators to be able to teach their students secure coding practices, Beyer said. Its an unfortunately reality that most computer science graduates never learn this skill, but as application attacks increase in number and severity, all computer science graduates will need to learn how to des

Leave a Reply