×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing

timothy posted about 4 months ago | from the they'll-take-a-look-see dept.

Security 67

cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.

Sorry! There are no comments related to the filter you selected.

No thanks. (0, Redundant)

Anonymous Coward | about 4 months ago | (#47557097)

Oh, sure, after our government has proven how trustworthy and helpful they are, I'm sure I'll be willing to pass my code directly to them! I'm sure they won't at all abuse me nor the code in some way.

Re:No thanks. (3, Insightful)

jfdavis668 (1414919) | about 4 months ago | (#47557169)

If your system is open source, they can just go get your code. It would still be useful if they point out your problems.

Re:No thanks. (0)

Anonymous Coward | about 4 months ago | (#47557407)

But they wont.

Re:No thanks. (0)

Anonymous Coward | about 4 months ago | (#47557663)

If your system is open source, they can just go get your code.

Correct. So in that regard, the original AC was wrong.

It would still be useful if they point out your problems.

That seems like a pretty big "if" there. Probably far more likely is that they would point out their problems. IE, they won't tell you about vulnerabilities they discover, and will even suggest "improvements" you could make that actually add in security holes for them to use.

Re:No thanks. (0)

Anonymous Coward | about 4 months ago | (#47558171)

That's very different. Any information provided to a government entity can and will be used against you. If you honestly believe you can trust the government to handle anything without at least attempting to screw you over, you're a fool.

Re:No thanks. (1)

jfdavis668 (1414919) | about 4 months ago | (#47559655)

Any information NOT provided to a government entity can also be used against you. What difference does it make? Unless your code is designed to hack into bank systems and steal account information, I don't see the difference it would make.

Re:No thanks. (0)

Anonymous Coward | about 4 months ago | (#47558359)

Is this a proper role for government? Or, since someone else is paying for a perceived benefit, is it okay to exceed the narrowly defined powers granted to the Federal government by the States and the people?

By the way, did you get your free government cell phone?

Re:No thanks. (0)

Anonymous Coward | about 4 months ago | (#47558499)

They use five open-source static analysis tools, you can check your code yourself.

No thanks (0, Troll)

Dishwasha (125561) | about 4 months ago | (#47557103)

The NSA is already proactively doing this for me.

language of the heart unbreakable (-1)

Anonymous Coward | about 4 months ago | (#47557135)

try a little tenderness seems outdated? the best has yet to come http://www.youtube.com/results?search_query=world+wake+up some still calling this 'weather'? http://www.youtube.com/results?search_query=wmd+weather

how about no (1)

Anonymous Coward | about 4 months ago | (#47557153)

I trust the DHS as much as I trust the NSA.

Looks good to me (3, Insightful)

Mostly a lurker (634878) | about 4 months ago | (#47557175)

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.

Re:Looks good to me (2, Insightful)

Anonymous Coward | about 4 months ago | (#47557221)

What a shame they have no credibility with the people that would benefit from this.

Re:Looks good to me (1)

disposable60 (735022) | about 4 months ago | (#47557505)

Or with anyone not benefiting directly from their vendor base's campaign contributions to your congresscritters.
Oh, and the FNC audience.

Re:Looks good to me (2)

aztracker1 (702135) | about 4 months ago | (#47557655)

For those, like yourself, that don't already know CERT [us-cert.gov] is now under DHS. CERT has some pretty big credibility.

Re:Looks good to me (0)

Anonymous Coward | about 4 months ago | (#47557895)

The DHS has zero credibility. That they pull some non-scumbag organizations in with them is irrelevant.

Re:Looks good to me (2)

some old guy (674482) | about 4 months ago | (#47557959)

CERT had some pretty big credibility.

FTFY

Re:Looks good to me (2)

jasno (124830) | about 4 months ago | (#47557515)

Actually, my first thought is why isn't the NSA doing this?

Securing our nation's information infrastructure is one of their core missions(along with spying on OTHER nations, which I also think they should be doing, instead of spying on US). They have the talent to be able to do it effectively.

Re:Looks good to me (1)

Zero__Kelvin (151819) | about 4 months ago | (#47557969)

"Actually, my first thought is why isn't the NSA doing this?

Actually, my first thought was that they are, and that they're calling their initiative SWAMP Thing. Perhaps you missed the stories of agencies performing the tasks that others cannot and then "sharing" their data?

Re:Looks good to me (1)

jasno (124830) | about 4 months ago | (#47565817)

I had a feeling someone would say something like this...

According to TFS, the program is for open source code. You know, the code that is already open and scannable by a web crawler. If the NSA wanted to do this for nefarious purposes(and I'm sure they do), they would have(and probably have) started their own program years ago. They don't need you to upload your open source project for them.

I'm willing to bet the NSA has all the closed-source software source they want as well. I doubt my company's shitty security, for example, is any hindrance to them.

Re:Looks good to me (1)

Zero__Kelvin (151819) | about 4 months ago | (#47566307)

You should have paid more attention. This allows, at a minimum, them to not search the whole internet searchning for code. The proles will bring it to them! Why pay someone to look all over the internet for FOSS code and go through the work of pulling it to their servers, when trusting morons will push it for them?

"You know, the code that is already open and scannable by a web crawler"

Have you ever tried to write a Webcrawler that will crawl the internet and differentiate code from everything else there, determine if it is FOSS, decide if it is still in active development or interesting, etc.? Clearly not. You might think you can easily write an AI Webcrawler, but I assure you that you cannot do it at all.

Re:Looks good to me (1)

suutar (1860506) | about 4 months ago | (#47558765)

Because "be able to attack others" always winds up being a higher priority than "keep others from attacking us" in a dual-mission agency. It goes along with "the best defense is a good offense" and such mindsets, and it sounds cooler when you're selling your budget to the oversight committee.

Re:Looks good to me (0)

Anonymous Coward | about 4 months ago | (#47557545)

Why do I get the feeling that the only people who will submit their apps are those who are "worried" about security, but not smart enough to know better then submit it to a nameless bureaucracy? It almost seems like a honey pot. The only reason police catch a lot of criminals is because they are stupid. A smart criminal can get away with a lot.

Re:Looks good to me (1)

Zero__Kelvin (151819) | about 4 months ago | (#47557917)

What makes you say that? You seem to be assuming that they are both competent and well meaning. These are two assumptions that are specious at best. Somewhere there are some DHS droids laughing their ass off: can you believe it. We even called it SWAMP and the morons still did the work of ferreting out software to find holes in for us!"

I almost don't feel sorry for the people stupid enough to fall for this scam.

Re:Looks good to me (2)

arglebargle_xiv (2212710) | about 4 months ago | (#47558269)

The knee jerk reaction, of course, is to look for a catch in anything Homeland Security is doing. However, this seems like a really good idea. Finally, they are contributing in a positive way to public safety.

Barely. If you look at what they're offering [continuousassurance.org] it's FindBugs, clang, gcc, and cppcheck. Completely bog-standard tools that anyone should be using anyway, but they're being paid $23M taxpayer dollars for it. Shee-it, I could do the same thing with $10K to cover the cost of renting some EC2 space, and I'll spend the remaining $22.99M on coke and hookers (seriously, how can they have spent $23M on this? One person could set it up in a few hours, the only constraint is how many VMs you need to spin up if lots of people sign up for it).

This looks very much a DHS solution, vast sums of money spent on something that should be nearly free. Not to mention that while gcc -wall, clang, and FindBugs aren't bad as far as free software goes, they're nowhere near the level of commercial offerings like Fortify, Coverity, and others.

OK, so in terms of cost/benefit it's more of a TSA solution then strictly a DHS solution.

Re:Looks good to me (0)

Anonymous Coward | about 4 months ago | (#47559009)

Perhaps they know it costs no money, and are funneling that funding elsewhere...
or maybe they are incompetant..

Re:Looks good to me (1)

marka63 (1237718) | about 4 months ago | (#47562125)

It saves the government money to consolidate the checking to one place. Otherwise every department would need to do the checking themselves.

By doing this continuously you end up with releases which are free of known errors.

Re:Looks good to me (1)

arglebargle_xiv (2212710) | about 4 months ago | (#47563487)

By doing this continuously you end up with releases which are free of known errors.

Weeellll... you end up with something that's been run through gcc -wall, which is a long way from "free of known errors". Now admittedly "free of known errors" is a nice circular definition meaning "free of things gcc warns about", but even then it's not necessarily the case, there's plenty of code that ships with avalanches of warnings when you build it, but no-one's bothered fixing it up.

At best, you get something that doesn't produce warnings in gcc and clang. At worst you get code that hasn't been changed from the default release because the maintainers decided none of the warnings were serious.

Re:Looks good to me (1)

marka63 (1237718) | about 4 months ago | (#47563545)

Actually you get something that has passed several different analyses.

Silencing "gcc -Wall" is a good thing. Modern gcc versions catch lots of errors. Add to that clang static analysis and others you get pretty reasonable error detection which is what they are aiming for.

No Windows or C# support yet (2)

xxxJonBoyxxx (565205) | about 4 months ago | (#47557191)

It's a neat project covering C, C++, and Java and a little Objective C and Javascript, but it doesn't cover C# or Windows yet. (https://continuousassurance.org/tool-selection/)

Unfortunately, in my world C#/Windows is where a lot of the business-facing open source action is, especially with the advent of NuGet.

For widely used open source, great. I'll use it. (2)

raymorris (2726007) | about 4 months ago | (#47557203)

When I write open source software in C, and expect it to be widely distributed, I may use the service.
I wouldn't submit PROPRIETARY software, probably, but code I submit to Apache or something like that isn't exactly. If NSA or someone reacts to analyze the Apache source, they'll do that without me submitting it. By running static analysis on my code, I can learn about potential issues and fix them.

typos (0)

raymorris (2726007) | about 4 months ago | (#47557255)

When I write open source software in C, and expect it to be widely distributed, I may use the service.
I wouldn't submit PROPRIETARY software, probably, but code I submit to Apache or something like that isn't exactly secret. If NSA or someone wants to analyze the Apache source, they'll do that without me submitting it. By running static analysis on my code, I can learn about potential issues and fix them.

Re:For widely used open source, great. I'll use it (1)

Actually, I do RTFA (1058596) | about 4 months ago | (#47558659)

I think it's probably a good idea to do this to your code even if you don't play on widely distributing it. It can help identify errors in your coding style/skillset. And you know what they say about a stitch in time...

For widely used open source, great. I'll use it. (1)

NoFlexZone (3781491) | about 3 months ago | (#47645965)

Ray Morris... exactly. People are so closed minded. You don't think NSA already know the backdoors and vulnerabilities in popular open-source packages.? lol

WTF? (3, Insightful)

gstoddart (321705) | about 4 months ago | (#47557209)

Do the DHS seriously believe they have any credibility in this area?

At this point, I assume if they find any exploits they'll keep them secret and use them themselves.

Sorry guys, but once you became the enforcement arm for copyright, you lost all credibility.

Re:WTF? (1)

Anonymous Coward | about 4 months ago | (#47557297)

At this point, I assume if they find any exploits they'll keep them secret and use them themselves.

Huh? If it is about open source, they can just download any project and still do that. As a matter of fact, harvesting open source software for vulnerabilities is something which agencies like NSA do all the time.

Re:WTF? (1)

93 Escort Wagon (326346) | about 4 months ago | (#47557459)

I'm not sure why you're conflating your understandable disgust over the current state of copyright litigation in the US with issues related to code integrity. There's not exactly a lot of common ground there.

Now if you had mentioned DHS' cozy relationship with the NSA - an organization that most of us expect is actively subverting both code and the standards we rely on - that would make more sense.

Really! (1)

Anonymous Coward | about 4 months ago | (#47557259)

Soon it will be illegal to use open source unless it is verified by DHS.

What they're not telling you (2)

Joe Gillian (3683399) | about 4 months ago | (#47557303)

What DHS isn't telling you is that they're secretly submitting anything given to them via SWAMP to a secret NSA partner program known as SHREK (Security Holes for Recapturing Encryption Keys) and the FBI's version of the same program, known as DONKEY (Domestic Onion-Router Key Capture) which will attempt to overthrow the TOR project.

The real question is, what is anyone doing putting their code in the SWAMP?

Re:What they're not telling you (1)

Zero__Kelvin (151819) | about 4 months ago | (#47557985)

"... known as DONKEY (Domestic Onion-Router Key Capture)

That would be DONKEY Capture, actually.

I was told there'd be brogre shitposting (0)

Anonymous Coward | about 4 months ago | (#47558435)

DONKEY (Domestic Onion -Router Key Capture)

I see what you did ogre there.
I wish I hadn't. Really.

QA (3)

jones_supa (887896) | about 4 months ago | (#47557351)

Quality assurance is the #1 thing that open source software needs in spades. There's a lots of buggy stuff out in the OSS world. Sure, it is mildly nauseating that DHS is the one doing this, but still I am all for it.

Re:QA (1)

antdude (79039) | about 4 months ago | (#47561793)

I agree. I try to help out by reporting issues that I run into, but I can't do this fulltime since I already have a paying SQA job. ;)

QA (1)

NoFlexZone (3781491) | about 3 months ago | (#47645953)

This will be eventually transitioned to the community to maintain. Think about it... much of software used in government and critical infrastructure is now relying on open-source components. The SWAMP is a response from DHS that says.. software security is a huge problem ... here is a resource to help improve software development activities and raise the quality of tools used to detect bugs and weaknesses.

Coverity (4, Interesting)

cxbrx (737647) | about 4 months ago | (#47557399)

I trust Coverity's Scan [coverity.com] program far more than I'll trust the organization that continues to promote security theater. DHS has no business in this area. This is typical over expansion of a bloated bureaucracy.

Re:Coverity (1)

Zero__Kelvin (151819) | about 4 months ago | (#47558035)

Agreed:

1) Create a program, and call it SWAMP
2) Look for problems in the code that is sure to be buggy, as competent developers would never submit code
3) Announce that OMFG, Open Source is full of holes!
4) Watch more people stay with Windows due to the misinformation
5) Power Profit

Look Ma! No ???? step!

What exactly stops them from gathering their own FOSS software? See step 2.

Re:Coverity (1)

Anonymous Coward | about 4 months ago | (#47558275)

This is just another tool like Coverity, funded by the .gov. There's nothing wrong with it. And competent developers *will* submit code, because competent developers realize that no matter how competent you are and how much you focus on writing correct code, mistakes are inevitable and static analysis tools help mitigate the risk of those mistakes. Competent developers are already using Coverity, and they'll probably sign up for this as well in hopes that there is some non-overlap in the bugs the two sites find.

Re:Coverity (1)

Kiwikwi (2734467) | about 4 months ago | (#47559461)

Sorry to break it to you, but Coverity's free-open source scanning was originally funded by the DHS [coverity.com] . :-)

After the DHS grant expired in 2009, Coverity continued the service pro bono.

This new program seems like a step back, though. Now, if the DHS was instead investing in improving the open-source tools, it would make sense.

Re:Coverity (1)

cxbrx (737647) | about 4 months ago | (#47559931)

Right you are! In my defense, I think contracting this out to Coverity was one of the rare things that the DHS did that was correct, or at least no horrifically incorrect. I see the DHS as an overgrown bureaucracy that is antithetical to our constitutional rights, especially the fourth amendment (searches). Bureaucracies need to grow to cover up their inefficiencies. Don't get me started on the TSA... Thanks for the correction...

Re:Coverity (1)

Kiwikwi (2734467) | about 4 months ago | (#47561229)

Well, considering the budget of the DHS, they're going to do the right thing once in a while, purely by accident. ;-)

Re:Coverity (1)

NoFlexZone (3781491) | about 3 months ago | (#47645941)

That's the plan is to try and raise the bar of open source tools. Actually, there is a use case to support to vendors to bring their tool and run their tool against a wide range of software packages and test cases in the SWAMP. The goal is to create better performing tools and improve tool coverage. I think the SWAMP is an excellent idea.

what a gift! (1)

Cardoor (3488091) | about 4 months ago | (#47558139)

hey ya'll - i know these guys have been trying to invade us and everything, but look.. they're nowhere to be seen, and they've left us this SWEET giant wooden horse! i don't know about you, but im thinking it's partytime!! open up them gates and roll that baby in!!

Made by humans for humans. (2)

zeroeth (1957660) | about 4 months ago | (#47558293)

<tt>I worked on this project. You should glance at who is involved before donning the tinfoil hats. https://continuousassurance.org/about-us/the-team/<br><br>It's an education grant with several phd's who study various CS security subjects (fuzzing, dynamic, static analysis). Built by a bunch of nice nerds employed by the Morgridge Institute http://discovery.wisc.edu/home/morgridge/morgridge.cmsx which is part of University of Wisconsin Madison.<br><br>QA/Testing is the black sheep of the coding universe, and trying to get those tools running can be a pain sometimes. Anything that makes it easier (Swamp, Travis, etc) makes our universe a better place.</tt>

Re:Made by humans for humans. (3, Insightful)

Actually, I do RTFA (1058596) | about 4 months ago | (#47558621)

Why are the tools being run remotely, as opposed to, for instance, being all nicely packaged into an image I can download and boot from locally. I understand the benefits of keeping statistics as code improves, etc. but it seems that a "paranoid developer" mode would fit nicely with the mission of improving code security. Esp. since those developers tend to do a lot more NIH of basic parts.

Additionally, and more relevantly, some of my work is done on a laptop as I move around, and being able to do some Q/A work when away from the Internet would be useful.

Re:Made by humans for humans. (1)

zeroeth (1957660) | about 4 months ago | (#47559285)

<tt>The SWAMP is currently just one site, but their eventual goal is that you can install and run it on your own internally, or however you see fit.</tt>

Made by humans for humans. (0)

Anonymous Coward | about 3 months ago | (#47645901)

Finally someone with commonsense

Made by humans for humans. (1)

NoFlexZone (3781491) | about 3 months ago | (#47645925)

Finally someone with commonsense. The Chief Scientist of the SWAMP is the "father of Fuzzing", Barton Miller.

I'm confused (0)

Anonymous Coward | about 4 months ago | (#47558505)

Wasn't DHS, and the NSA, not a few weeks back saying that FOSS, Linux, and a host of other keywords, put you on a rather negative watch list. Now DHS is sponsoring FOSS code testing portals? Seems the left hand doesn't know what the right hand is doing, or wants!

DHS is many different agencies - Coast Guard, FEMA (1)

raymorris (2726007) | about 4 months ago | (#47558843)

> Seems the left hand doesn't know what the right hand is doing, or wants!

DHS includes a LOT of hands that don't know what the others are doing. This is a high-level overview of a few of the major sections within DHS:
http://www.dhs.gov/xlibrary/as... [dhs.gov]

You'll notice it includes agencies as diverse as the Coast Guard, FEMA, health stuff ...

The $60 billion budget for all of the different agencies within DHS is 10% of the total non-defense operational budget of the entire government. So anything the government does, there's a reasonably good chance it's part of DHS.

US-CERT is now part of DHS, and of course US-CERT is the #1 information security organization. One thing CERT is doing is dispensing DHS grant money to pay universities to develop free cybersecurity courses http://niccs.us-cert.gov/ [us-cert.gov] . Some of the courses are quite good.

Okay (1)

DaMattster (977781) | about 4 months ago | (#47558569)

Why would anyone voluntarily help the US Government spy on its people. Fuck Uncle Sam! I won't do anything to help big brother.

DHS sucks balls (2)

AndyKron (937105) | about 4 months ago | (#47558633)

Anybody who trusts the Department of Homeland Security is a fucking idiot.

No new tools. Low-budget operation (3, Informative)

Animats (122034) | about 4 months ago | (#47558677)

All they're offering are some existing tools [continuousassurance.org] , ones you can get for free. The main ones are the Clang static analyzer [llvm.org] and Cppcheck [sourceforge.net] . They're not offering free access to some of the better, and expensive, commercial tools.

Cppcheck is basically a list of common errors, expressed as rules with regular expressions. Clang is a little more advanced, but it's still looking for a short list of local bugs. [llvm.org] Neither will detect all, or even most, buffer overflows. They'll detect the use of "strcpy", but not a wrong size to "strncpy".

No new tools. Low-budget operation (1)

NoFlexZone (3781491) | about 3 months ago | (#47645933)

Commercial tools are just as bad as open-source. Look at heartbleed, none of the tools found that weakness that led to heartbleed. You have to understand the premise behind the project before making assumptions. There will be commercial tools being offered soon!!!

it's a TRAP! (0)

Anonymous Coward | about 4 months ago | (#47558787)

If they find N number of bugs.. they will tell you about n-1 or n-2.. the rest they will keep in a database on how to exploit system for the good of America..

Metadata (0)

ThatsNotPudding (1045640) | about 4 months ago | (#47558815)

It's about gathering even more metadata about the operators and rat lines within the most dangerous terrorist cell of all: F/OSS (It even *sounds* like ISIS!).

Projects to audit (0)

Anonymous Coward | about 4 months ago | (#47559589)

I'll be impressed if they find a remote hole in OpenBSD.
Maybe they can speed along the TrueCrypt audit. (Not that we trust them if they say that it's safe, but if they do find a problem that they report, then great.)
For that matter, let's have them look at LibreSSL, and report what they find there.
Then, give them the OpenSSL code, and that project alone should entirely chew up their grant money before they get finished.

This is a really, really great ide-- wait, I'm am American tax payer. Who's dumb idea was it to spend my money on having an untrustworthy organization do this?

Maybe A Different Tactic? (1)

LifesABeach (234436) | about 4 months ago | (#47559957)

As a Freedom of Information Act Request; have the NSA offer user access ones phone calls? In other words, be a part of the solution...
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?