• SwA Communities
• SwA Forums & Working Groups
• Workforce Education & Training
•     - Activities
•     - Resources
•     - Collaborations
•     - Licensing and Certification
• Processes & Practices
•     - Activities
•     - Resources
•     - Collaborations
• Technology & Tools
•     - Activities
•     - Resources
•     - Collaborations & Research
• Acquisition & Outsourcing
•     - Activities
•     - Resources
•     - Collaborations
• Measurement & Business Case
•     - Activities
•     - Resources
•     - Business Case
•     - Collaborations & Examples
•     - Resources
• Malware & Cyber Observables
•     - Activities
•     - Resources
• Resilient Software
• SwA Market Place
• SwA Landscape
• SwA Ecosystem
• Security Automation & Measurement
• Build Security In

Software Assurance (SwA) Market Place

The Software Assurance Market Place (SwAMP) gathers community-provided tools that increase the transparency of software security. With greater transparency, stakeholders can make better security-related decisions about software and its suppliers. The Market Place leverages the efforts of the Software Assurance (SwA) Community and focuses on the research infrastructure necessary to enable software assurance and related activities.

The SwA Market Place research infrastructure is sponsored by the Cyber Security Division (CSD) of the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate. It is a facility for software assurance tools and associated services available to both software analysts and developers of software, both open source and proprietary. Using tools available in the SwA Market Place, software analysts will be able to perform static, dynamic, and binary analysis on new algorithms against a variety of software in a multi-platform environment. Software developers will gain maximum value from many software analysis tools, including those funded by DHS S&T, open source analysis tools, and, potentially, commercial tools without having to acquire licenses or learn how to use each one individually.

The SwAMP can become a resource in software assurance for open security technologies that could be used across civilian agencies and their communities as both a research platform and a core component of U.S. Government-supported software development activities. The resulting software management infrastructure will enable (1) research into new forms of software analysis and testing, (2) analyses to run in reliable and repeatable workflows, (3) on-demand access to extendable computing resources such as high-performance computing clusters, (4) expansion to new forms of analysis and testing such as dynamic analysis, and (5) tool isolation. Commercial vendors can participate through procedures that provide useful feedback to their ongoing development and refinement work without violating intellectual property and competitive business practices.
 
Other projects are elicited for community feedback. Additional information regarding solicitations is available at the DHS S&T Directorate Solicitations Portal.  

Homeland Open Security Technology (HOST)
The mission of the Homeland Open Security Technology (HOST) program is to investigate open security methods, models, and technologies and identify viable and sustainable approaches that support national cyber security objectives. The foundational technology for the purposes of HOST is based on open source software.  HOST program activities include three key areas of focus:

• DISCOVERY: The HOST program will investigate new and existing open security projects and techniques that support and protect government cyber assets. This will be achieved in part through the development and sharing of comprehensive, publicly accessible inventory of open source projects, tools, and applications as well as best practices and lessons learned.
• COLLABORATION: Coordinating development activities and encouraging working relationships between public and private-sector research and development communities is core to increasing the sustainable use of Open Security Technology. Cross-industry events, designed to serve as platforms for collaboration, are already underway.
• INVESTMENT: DHS is committed to providing seed investments in advanced research and development activities that support national cyber security objectives and have the potential to create sustainable project communities. This is achieved in part by enabling broad adoption and participation by public and private-sectors.

SOFTWARE LABELS — The SwA Market Place provides consumers “Security Facts” labels for software products. Making simple security facts visible may help consumers make informed buying decisions.

Software Facts — The Software Assurance Consortium (SwAC) collaborates with others on the software facts effort. Software facts are similar to a nutrition facts label, material safety data sheets, or laser safety classes. Like food, it would not tell you everything about the software, but could give you some ideas about its content. It would be a step toward making the asymmetrical flow of information more symmetrical and might lead to markets for better software.

OPEN SOURCE SOFTWARE SCANNING PROJECTS — Ongoing code scanning projects can enhance the security of open source software. 

Scan — Initiated in 2006 in collaboration with the U.S. Department of Homeland Security (DHS), the Coverity Scan Initiative has identified almost 50,000 defects within more than 290 open source projects, including Linux, Apache, PHP, and Android. To date, more than 15,000 of these defects have been fixed. Thousands of open source developers rely on this resource to help them enforce the quality, safety, and security of open source software. Read the Coverity Scan 2010 Open Source Integrity Report. Please note that registration is required to request a copy of the report.

OPEN SOURCE MODULES AND METHODS FOR SECURE SOFTWARE — OWASP provides collaboratively developed application programming interfaces (API) and security methods to build secure applications and test applications and services.

OWASP Enterprise Security API (ESAPI) — The OWASP ESAPI is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications and also serve as a solid foundation for new development. Developers can use or modify ESAPI and even include it in commercial products. This project is licensed under the BSD license, which is very permissive and as close to public domain as possible.

TECHNOLOGY ADVANCES — The following are projects seeking to grow and develop technologies that will be needed to make software more secure.

Software Assurance — As a DHS S&T Directorate Technical Topic Area (TTA), Software Assurance has two parts: (1) research and development of new tools and techniques for software analysis and (2) application of new and existing capabilities in test and evaluation activities. This TTA seeks to couple activities with a new effort called Homeland Open Security Technology (HOST), whose goal is to facilitate Government-wide secure information technology (IT) solutions based on open source technologies. HOST will provide more effective access to vetted open source and related technologies used within the Government. One goal of this initiative is to include a heavily automated process of rigorous testing and evaluation of software in source and binary form. More information on HOST can be found at the DHS Cyber Security Research and Development Center. Responses addressing part (2) of this TTA are encouraged to consider how activities can tie in to TTA 14, the SwA Market Place.

STONESOUP — The Intelligence Advanced Research Projects Activity (IARPA) Securely Taking On New Executable Software of Uncertain Provenance (STONESOUP) project seeks to develop and demonstrate technology to automatically diversify, confine, and analyze software (source or binary) so that the end users can safely execute software of uncertain provenance. Rather than correct design defects and malicious logic, STONESOUP addresses implementation defects and inadvertent defects.
For more information, see the presentation by Konrad Vesey, ODNI, entitled Securely Taking on New Executable Software of Uncertain Provenance (STONESOUP) Program Overview from the 13th Semi-Annual Software Assurance Forum - September 27-October 1, 2010.
 
Top

 

Contact Us Terms of Use Privacy Policy Sitemap Get a PDF Reader ©2013 Department of Homeland Security