A Collaborative Marketplace for Continuous Software Assurance

NYC OWASP Chapter – Feb. 5, 2013

A Growing Need…

Software Assurance Marketplace o Six  proposals  submi.edo Awarded  to  Morgridge  Ins:tute  for  Research  withIndiana  University,  University  of  Illinois  Urbana-­‐Champaign,  and  UW−Madison  as  subcontractors

o Offers  industry,  academia  and  government  agenciesno-­‐cost  access  to  a  secure  research  facility  withanaly>cal  and  repor>ng  capabili>es

o Will  help  the  so@ware  assurance  communityimprove  the  security  of  so@ware  used  in  the  na>on’s  cri>cal  infrastructure

Use Cases SoFware  Developers  

Upload  so@ware  packages  for  analysis  by  a  suite  of  so@ware  assurance  tools  and  view  results  via  dashboard.  

Cybersecurity  Researchers  

Review  data  on  tool  coverage  and  common  weaknesses  to  improve  standards,  educa>on  and  cer>fica>on  programs.  

SoFware  Assurance  Tool  Developers  

Upload  SWA  tools  and  evaluate  against  large  corpus  of  SW  packages  and  test  suites  with  known  weaknesses.  

So@ware  Assurance  Marketplace  

User  Communi:es  SWA  Tool  Developers  

SWA  Researchers  

SoFware  Developers   Educators  &  

Students  

Infrastructure  Operators  

Major  Deliverables  

Year  Phase   Build   Beta   Enhance   Operate  

1   2   3   4   5  

SWAMP  Opera:onal  (Version  1.0  of  CoSALab  and  Metronome)  

V3  of  CoSALab  and  Metronome  Third  SWAMP  User’s  Mee:ng  

V1  Stable  Release  of  Metronome  First  SWAMP  User’s  Mee:ng  

V2  of  CoSALab  and  Metronome  Second  SWAMP  User’s  Mee:ng  

Fourth  SWAMP  User’s  Mee:ng  

Final  Metronome  Release  

Feb.  2,  2014  Oct.  1,  2012  

Oct.  1,  2013  

Date   Sep.  30,  2015   Sep.  30,  2017  

Initial Tool Selection for the SWAMP At  ini>al  opera>ng  capability  (IOC)  a  goal  of  5  open  source  tools  opera>ng  on  100  packages.    Guiding  the  selec>on  of  tools  are  weakness  from  published  studies,  communica>ons  with  prac>>oners,  and  our  experiences  in  performing  in-­‐depth  so@ware  vulnerability  assessments.    Weakness  class  examples  include:  

• Command  injec>ons  • SQL  injec>ons  • Use  of  inherently  dangerous  OS  interfaces  • Buffer  overruns  • Resource  leaks  (allocated  but  not  freed  resources)  • Pointer  usage  errors  (e.g.,  NULL  pointer  usage,  double  freeing,  use  a@er  free)  

• Format  string  a.acks  • Integer  overflow/trunca>on  errors  • Cross-­‐site  scrip>ng/Cross-­‐site  request  forgery  • URL  redirec>on  (Open  Redirect)  

Initial Tool Selection for the SWAMP

Tool  Descrip:on   Languages   Targeted  Weakness  Findbugs:  widely  used  for  Java  source  code  analysis;  incorporated  into  many  commercial  tools.  

Java   Injec>on  a.acks,  number  handling,  web  decep>ons,  and  resource  leaks.  

cppcheck:  community-­‐wide  open  source  tool  hosted  at  sourceforce.net.  

C,  C++   Targets  common  coding  errors,  addressing  buffer  handling  and  resource  leaks.  

Clang  and  Clang  Sta:c  Analyzer:  contribu>ons  from  a  wide  community,  including  ac>ve  par>cipa>on  from  Apple  and  Google.  

C,  C++,  Objec>ve  C  (for  MacOS)  

Targets  common  coding  errors,  addressing  injec>ons,  buffer  handling,  resource  leaks,  and  number  handling.  

Oink:  based  on  CQual++  for  its  basic  analysis.  Reputed  to  be  quite  solid  and  has  whole  program  analysis  abili>es.  

C,  C++   Targets  common  coding  errors,  addressing  injec>ons.  

PMD:  a  community  wide  tool  under  ac>ve  development,  hosted  on  sourceforge.net.  

Java,  limited  support  for  XML,  Javascript,  JSP  

Targets  number  problems,  resource  leaks,  and  programming  errors.  A  focus  on  correctness,  now  adding  security  checks.  

Platform Selection for the SWAMP TBD

Pla^orm   Versions  

Linux  Debian  and/or  deriva>ves    RedHat  and/or  deriva>ves  Others?  

Mac?   OSX  10.8  (Lion),  OSX  10.7  (Mtn  Lion)  …  Windows   Windows7,  Windows8  …  

Guidelines:  • Minimally  sufficient  set.  Ini>al  DHS  target  is  8.  • Most  relevant  for  SWA  and  OSS  communi>es  • Updated  current  version  and  previous  version  

You are the key! o We  need  your  input  –  how  do  you  envision  using  such  a  resource?  What  tools,  packages,  policies,  topics,  planorms  would  help  you?  

o We  need  your  involvement  –  help  with  tools,  packages,  standards,  technical  literature,  seminars,  training.  

o We  need  your  feedback  –  the  good,  the  bad,  and  the  ugly.  

Backup  Slides  

U.S. Department of Homeland Security Science and Technology Directorate

o So@ware  Assurance  Marketplace  project  part  of  $70+  million  mul>-­‐year  Cyber  Security  Division  effort  to  improve  security  of  na>on’s  cri>cal  informa>on  infrastructure  

o BAA  11-­‐02  involves  34  awards  to  29  academic,  commercial  and  research  organiza>ons  in  14  technical  areas  focused  on  detec*ng,  preven*ng  and  responding  to  cyber  a.acks  

Relationship to other DHS projects

TTA-­‐14  SoFware  Assurance  Marketplace  

Other  Technical  Topic  Areas  

Some  collabora>on  

Significant  collabora:on  

TTA-­‐1  So@ware  Assurance  Tools  

Software Assurance Marketplace Organization                                              So@ware  Assurance  

                                                   Marketplace  Director                      

                 Miron  Livny  

Chief  Opera>ons  Officer  

         

Brooklin  Gore  

SoFware  Development   Produc:on  

Iden>ty  Mgmt.  Lead  

         

Jim  Basney  

Chief  Security  Officer  

         

Von  Welch  

Opera:ons  Center  

Security  Opera:ons  

Chief  Scien>st  

         

Barton  Miller  

SoFware  Assurance  Tools  and  Standards  

User  Support  External  Resources  

Morgridge  Ins:tute  for  Research  

Indiana  Univ.  Pervasive  Technology  Ins>tute  

U.  of  Wisconsin  Middleware  Security  and  Tes>ng  Group  

U.  Of  Illinois  NCSA  

Cybersecurity  Directorate  

~  24  Team  Members