A Collaborative Marketplace for Continuous Software Assurance

U.S. Department of Homeland Security Science and Technology Directorate

o So#ware  Assurance  Marketplace  project  part  of$70+  million  mul;-­‐year  Cyber  Security  Divisioneffort  to  improve  security  of  na;on’s  cri;calinforma;on  infrastructure

o BAA  11-­‐02  involves  34  awards  to  29  academic,commercial  and  research  organiza;ons  in  14technical  areas  focused  on  detec%ng,  preven%ngand  responding  to  cyber  aOacks

Relationship to other DHS projects

TTA-­‐14  So<ware  Assurance  Marketplace  

Other  Technical  Topic  Areas  

Some  collabora;on  

Significant  collaboraCon  

TTA-­‐1  So#ware  Assurance  Tools  

Software Assurance Marketplace o Six  proposals  submiOed  o Awarded  to  Morgridge  InsCtute  for  Research  with  Indiana  University,  University  of  Illinois  Urbana-­‐Champaign,  and  UW−Madison  as  subcontractors  

o Offers  industry,  academia  and  government  agencies  no-­‐cost  access  to  a  secure  research  facility  with  analy;cal  and  repor;ng  capabili;es  

o Will  help  the  so#ware  assurance  community  improve  the  security  of  so#ware  used  in  the  na;on’s  cri;cal  infrastructure  

Use Cases So<ware  Developers  

Upload  so#ware  packages  for  analysis  by  a  suite  of  so#ware  assurance  tools  and  view  results  via  dashboard.  

Cybersecurity  Researchers  

Review  data  on  tool  coverage  and  common  weaknesses  to  improve  standards,  educa;on  and  cer;fica;on  programs.  

So<ware  Assurance  Tool  Developers  

Upload  SWA  tools  and  evaluate  against  large  corpus  of  SW  packages  and  test  suites  with  known  weaknesses.  

So#ware  Assurance  Marketplace  

A Growing Need…

User  CommuniCes  SWA  Tool  Developers  

SWA  Researchers  

So<ware  Developers   Educators  &  

Students  

Infrastructure  Operators  

Software Assurance Marketplace Organization                                              So#ware  Assurance  

                                                   Marketplace  Director                      

                 Miron  Livny  

Chief  Opera;ons  Officer  

         

Brooklin  Gore  

So<ware  Development   ProducCon  

Iden;ty  Mgmt.  Lead  

         

Jim  Basney  

Chief  Security  Officer  

         

Von  Welch  

OperaCons  Center  

Security  OperaCons  

Chief  Scien;st  

         

Barton  Miller  

So<ware  Assurance  Tools  and  Standards  

User  Support  External  Resources  

Morgridge  InsCtute  for  Research  

Indiana  Univ.  Pervasive  Technology  Ins;tute  

U.  of  Wisconsin  Middleware  Security  and  Tes;ng  Group  

U.  Of  Illinois  NCSA  

Cybersecurity  Directorate  

~  24  Team  Members  

Major  Deliverables  

Year  Phase   Build   Beta   Enhance   Operate  

1   2   3   4   5  

SWAMP  OperaConal  (Version  1.0  of  CoSALab  and  Metronome)  

V3  of  CoSALab  and  Metronome  Third  SWAMP  User’s  MeeCng  

V1  Stable  Release  of  Metronome  Second  SWAMP  User’s  MeeCng  

V2  of  CoSALab  and  Metronome  Third  SWAMP  User’s  MeeCng  

Fourth  SWAMP  User’s  MeeCng  

Final  Metronome  Release  

Feb.  2,  2014  Oct.  1,  2012  

Oct.  1,  2013  

Date   Sep.  30,  2015   Sep.  30,  2017  

Planning  First  SWAMP  Community  MeeCng  

You are the key! o We  need  your  input  –  how  do  you  envision  using  such  a  

resource?  What  tools,  packages,  policies,  topics,  plaforms  would  help  you?  

o We  need  your  involvement  –  help  with  tools,  packages,  standards,  technical  literature,  seminars,  training.  

o We  need  your  feedback  –  the  good,  the  bad,  and  the  ugly.