Post on 19-Aug-2020
A Collaborative Marketplace for Continuous Software Assurance
U.S. Department of Homeland Security Science and Technology Directorate
o So#ware Assurance Marketplace project part of$70+ million mul;-‐year Cyber Security Divisioneffort to improve security of na;on’s cri;calinforma;on infrastructure
o BAA 11-‐02 involves 34 awards to 29 academic,commercial and research organiza;ons in 14technical areas focused on detec%ng, preven%ngand responding to cyber aOacks
Relationship to other DHS projects
TTA-‐14 So<ware Assurance Marketplace
Other Technical Topic Areas
Some collabora;on
Significant collaboraCon
TTA-‐1 So#ware Assurance Tools
Software Assurance Marketplace o Six proposals submiOed o Awarded to Morgridge InsCtute for Research with Indiana University, University of Illinois Urbana-‐Champaign, and UW−Madison as subcontractors
o Offers industry, academia and government agencies no-‐cost access to a secure research facility with analy;cal and repor;ng capabili;es
o Will help the so#ware assurance community improve the security of so#ware used in the na;on’s cri;cal infrastructure
Use Cases So<ware Developers
Upload so#ware packages for analysis by a suite of so#ware assurance tools and view results via dashboard.
Cybersecurity Researchers
Review data on tool coverage and common weaknesses to improve standards, educa;on and cer;fica;on programs.
So<ware Assurance Tool Developers
Upload SWA tools and evaluate against large corpus of SW packages and test suites with known weaknesses.
So#ware Assurance Marketplace
A Growing Need…
User CommuniCes SWA Tool Developers
SWA Researchers
So<ware Developers Educators &
Students
Infrastructure Operators
Software Assurance Marketplace Organization So#ware Assurance
Marketplace Director
Miron Livny
Chief Opera;ons Officer
Brooklin Gore
So<ware Development ProducCon
Iden;ty Mgmt. Lead
Jim Basney
Chief Security Officer
Von Welch
OperaCons Center
Security OperaCons
Chief Scien;st
Barton Miller
So<ware Assurance Tools and Standards
User Support External Resources
Morgridge InsCtute for Research
Indiana Univ. Pervasive Technology Ins;tute
U. of Wisconsin Middleware Security and Tes;ng Group
U. Of Illinois NCSA
Cybersecurity Directorate
~ 24 Team Members
Major Deliverables
Year Phase Build Beta Enhance Operate
1 2 3 4 5
SWAMP OperaConal (Version 1.0 of CoSALab and Metronome)
V3 of CoSALab and Metronome Third SWAMP User’s MeeCng
V1 Stable Release of Metronome Second SWAMP User’s MeeCng
V2 of CoSALab and Metronome Third SWAMP User’s MeeCng
Fourth SWAMP User’s MeeCng
Final Metronome Release
Feb. 2, 2014 Oct. 1, 2012
Oct. 1, 2013
Date Sep. 30, 2015 Sep. 30, 2017
Planning First SWAMP Community MeeCng
You are the key! o We need your input – how do you envision using such a
resource? What tools, packages, policies, topics, plaforms would help you?
o We need your involvement – help with tools, packages, standards, technical literature, seminars, training.
o We need your feedback – the good, the bad, and the ugly.