ISE® NORTH AMERICA LEADERSHIP SUMMIT
Department of Homeland Security, Science & Technology Directorate, Cyber Security Division
Bringing Industry Change via Software Security and Assurance
Kevin E. Greene
Program Manager, Software Assurance
Nominee Showcase Presentation
ISE® North America Leadership Summit #ISEawards
S&T’s Cyber Security Division – Our Mission
ISE® North America Leadership Summit #ISEawards
CSD’s Software Assurance Program – At a Glance
ISE® North America Leadership Summit #ISEawards
Presentation Overview
• Keeping pace with the evolution of software
• Vulnerabilities on the Rise
• The “heart” is still bleeding – shock and awe
• DHS Response to a hard problem –
• Software Acquisition – SWAMP’ing the Supply Chain
• Future Capabilities
• BRING YOUR CODE (BYC) to the SWAMP
ISE® North America Leadership Summit #ISEawards
Keeping Pace With Software
ISE® North America Leadership Summit #ISEawards
By The Numbers – Vulnerabilities on the Rise
ISE® North America Leadership Summit #ISEawards
Heartbleed – Shock and Awe
• Oh.. I forgot about Bash Bug.
• There are tools that still can’t detect Heartbleed
ISE® North America Leadership Summit #ISEawards
DHS Response to a Hard Problem
Free and open resource
Host over 400 open-source software packages and test casesAPI integration with Integrated Development Environment (IDE)Processing over 700 plus assessment per weekApproaching 400 usersDesigned to process over 275 MLOC per day
Offer 7 open-source toolsJava: FindBugs, PMD, Error Prone, Check style, C/CC++: CLANG, cppCheck, and GCC
Support 9 different (OS) platformsDebian, RedHat, Ubuntu, Scientific Linux, and Fedora
ISE® North America Leadership Summit #ISEawards
Bringing Change to Software AssuranceToday’s Software Assurance (SwA) ecosystem is a collection of enterprise and open source professionals who typically work in isolation.
SWAMP provides a hub for members of this ecosystem to collaborate and share SwA products and methodologies
This ecosystem includes tool developers, software developers, facility managers, IT executives, researchers and educators.
SWAMP helps members of this ecosystem to:
Identify new (possible) defects in software each time a change is madeIdentify new (possible) defects in a software/library/module that is being used for new version releases Profile the ability of the SwA tools to identify (possible) software defects for every change in the softwareExpose new tools and software to SwA community
ISE® North America Leadership Summit #ISEawards
New Approaches to Software Analysis
Tool A
Tool B Tool C
Tool D
Least
weaknesses
found
Most
weaknesses
found
Tools can’t and don’t catch everythingGaps in tool coverage -- language specific, and various class of weaknesses
ISE® North America Leadership Summit #ISEawards
Why Does Industry Need The SWAMP?• SWAMP addresses the growing realization of the power of using multiple tools to
create a comprehensive view of an application’s weaknesses and potential vulnerabilities.
• NSA Center for Assured Software studied over 60,000 test cases with several million lines of source code to reveal that only 14 percent of the known software defects were able to be detected
• Need better performing tools commercial and open-source - (No more Heartbleed)
• For collaboration and tech exchange to advance software assurance capabilities
• Offset the cost to “formalize” software assurance in organizations
• DO IT EARLY and DO IT OFTEN (Continuous Assurance meets Continuous Integration)
• We can’t trust the software supply chain
ISE® North America Leadership Summit #ISEawards
Software Acquisition Vision - The SWAMPSupplier use the SWAMP as part of the Software Acquisition process
Acquirer has visibility throughout the process
SWAMP services will help provide assurance for third-part software
Does the software meets my security requirements?
Helps suppliers with selection of software components to use
ISE® North America Leadership Summit #ISEawards
SWAMP’s Future CapabilitiesFeatures
• Full integration with Git Repositories
• Bring results into SWAMP
• Mobile Code Analysis
• Binary Analysis
• Dynamic Analysis
• Mac OSX (platform)
• Windows (platform)
Tools
• Veracode (commercial)
• Parasoft (commercial)
• Grammatech (Code Sonar)
• Goanna RedLizards
• Binary Analysis tools
• Dynamic Analysis tools
Languages
• Python
• Android
• Objective C and C#
• JavaScript
• PHP
• .NET
ISE® North America Leadership Summit #ISEawards
Lessons Learned/Best PracticesReshaping Software Assurance
• Secure Coding becomes our first line of DEFENSE
• Tools need to perform better for early adoption in SDLC
• No one tool can give you the coverage you need
• Mindshift from CVEs to CWEs… Proactive approach
• This is everyone’s problem – We all are vulnerable
• DO IT EARLY, and DO IT OFTEN
ISE® North America Leadership Summit #ISEawards
CSD – Upcoming Events