a collaborative marketplace for continuous software assurance · 2016. 10. 25. · a collaborative...
TRANSCRIPT
A Collaborative Marketplace for Continuous Software Assurance
NYC OWASP Chapter – Feb. 5, 2013
A Growing Need…
Software Assurance Marketplace o Six proposals submi.edo Awarded to Morgridge Ins:tute for Research withIndiana University, University of Illinois Urbana-‐Champaign, and UW−Madison as subcontractors
o Offers industry, academia and government agenciesno-‐cost access to a secure research facility withanaly>cal and repor>ng capabili>es
o Will help the so@ware assurance communityimprove the security of so@ware used in the na>on’s cri>cal infrastructure
Use Cases SoFware Developers
Upload so@ware packages for analysis by a suite of so@ware assurance tools and view results via dashboard.
Cybersecurity Researchers
Review data on tool coverage and common weaknesses to improve standards, educa>on and cer>fica>on programs.
SoFware Assurance Tool Developers
Upload SWA tools and evaluate against large corpus of SW packages and test suites with known weaknesses.
So@ware Assurance Marketplace
User Communi:es SWA Tool Developers
SWA Researchers
SoFware Developers Educators &
Students
Infrastructure Operators
Major Deliverables
Year Phase Build Beta Enhance Operate
1 2 3 4 5
SWAMP Opera:onal (Version 1.0 of CoSALab and Metronome)
V3 of CoSALab and Metronome Third SWAMP User’s Mee:ng
V1 Stable Release of Metronome First SWAMP User’s Mee:ng
V2 of CoSALab and Metronome Second SWAMP User’s Mee:ng
Fourth SWAMP User’s Mee:ng
Final Metronome Release
Feb. 2, 2014 Oct. 1, 2012
Oct. 1, 2013
Date Sep. 30, 2015 Sep. 30, 2017
Initial Tool Selection for the SWAMP At ini>al opera>ng capability (IOC) a goal of 5 open source tools opera>ng on 100 packages. Guiding the selec>on of tools are weakness from published studies, communica>ons with prac>>oners, and our experiences in performing in-‐depth so@ware vulnerability assessments. Weakness class examples include:
• Command injec>ons • SQL injec>ons • Use of inherently dangerous OS interfaces • Buffer overruns • Resource leaks (allocated but not freed resources) • Pointer usage errors (e.g., NULL pointer usage, double freeing, use a@er free)
• Format string a.acks • Integer overflow/trunca>on errors • Cross-‐site scrip>ng/Cross-‐site request forgery • URL redirec>on (Open Redirect)
Initial Tool Selection for the SWAMP
Tool Descrip:on Languages Targeted Weakness Findbugs: widely used for Java source code analysis; incorporated into many commercial tools.
Java Injec>on a.acks, number handling, web decep>ons, and resource leaks.
cppcheck: community-‐wide open source tool hosted at sourceforce.net.
C, C++ Targets common coding errors, addressing buffer handling and resource leaks.
Clang and Clang Sta:c Analyzer: contribu>ons from a wide community, including ac>ve par>cipa>on from Apple and Google.
C, C++, Objec>ve C (for MacOS)
Targets common coding errors, addressing injec>ons, buffer handling, resource leaks, and number handling.
Oink: based on CQual++ for its basic analysis. Reputed to be quite solid and has whole program analysis abili>es.
C, C++ Targets common coding errors, addressing injec>ons.
PMD: a community wide tool under ac>ve development, hosted on sourceforge.net.
Java, limited support for XML, Javascript, JSP
Targets number problems, resource leaks, and programming errors. A focus on correctness, now adding security checks.
Platform Selection for the SWAMP TBD
Pla^orm Versions
Linux Debian and/or deriva>ves RedHat and/or deriva>ves Others?
Mac? OSX 10.8 (Lion), OSX 10.7 (Mtn Lion) … Windows Windows7, Windows8 …
Guidelines: • Minimally sufficient set. Ini>al DHS target is 8. • Most relevant for SWA and OSS communi>es • Updated current version and previous version
You are the key! o We need your input – how do you envision using such a resource? What tools, packages, policies, topics, planorms would help you?
o We need your involvement – help with tools, packages, standards, technical literature, seminars, training.
o We need your feedback – the good, the bad, and the ugly.
Backup Slides
U.S. Department of Homeland Security Science and Technology Directorate
o So@ware Assurance Marketplace project part of $70+ million mul>-‐year Cyber Security Division effort to improve security of na>on’s cri>cal informa>on infrastructure
o BAA 11-‐02 involves 34 awards to 29 academic, commercial and research organiza>ons in 14 technical areas focused on detec*ng, preven*ng and responding to cyber a.acks
Relationship to other DHS projects
TTA-‐14 SoFware Assurance Marketplace
Other Technical Topic Areas
Some collabora>on
Significant collabora:on
TTA-‐1 So@ware Assurance Tools
Software Assurance Marketplace Organization So@ware Assurance
Marketplace Director
Miron Livny
Chief Opera>ons Officer
Brooklin Gore
SoFware Development Produc:on
Iden>ty Mgmt. Lead
Jim Basney
Chief Security Officer
Von Welch
Opera:ons Center
Security Opera:ons
Chief Scien>st
Barton Miller
SoFware Assurance Tools and Standards
User Support External Resources
Morgridge Ins:tute for Research
Indiana Univ. Pervasive Technology Ins>tute
U. of Wisconsin Middleware Security and Tes>ng Group
U. Of Illinois NCSA
Cybersecurity Directorate
~ 24 Team Members