Why Johnny and Janie Can’t Code Safely: Bringing Software Assurance to the Masses presented at SecuritySymposium 2015

by Bart Miller,

Summary : While we’re all furiously working on new techniques to automate the finding of weaknesses and even vulnerabilities in software, relatively few programmers in the real world are benefiting from our work. The reasons for this situation are myriad, ranging from lack of training, awareness, and economic incentives on the part of the users; complex and only partially useful tools on the part of the assurance tool developers; legal barriers to open reporting of software problems; a confusing regulatory landscape with few standards; and a lack of effective curriculum at most universities for students learning software skills.
As a step towards improving the state of software assurance tools in the marketplace and increasing the adoption of software assurance practices by programmers, the U.S. Department of Homeland Security funded a 5-year project to establish the Software Assurance Marketplace (SWAMP). The core service of the SWAMP is an open (free) facility where programmers can bring their software to be run against a large suite of both commercial and open source assessment tools. In addition, tool developers can use the SWAMP-developed resources to speed their tool developments, making it easier to compete with established research projects and commercial products. The SWAMP also serves as a resource for classroom instructors and for researchers studying the software assurance process.