Software Assurance Marketplace to host exposition

May 23, 2013

by Jennifer Sereno

Photo: Brooklin Gore and Myron Livny in server room

Software Assurance Marketplace Operations Officer Brooklin Gore (left) and Chief Technology Officer Myron Livny in the server room of the Wisconsin Institutes for Discovery building, where the software security tests will be run.

Photo: Morgridge Institute for Research

Top software analysis tool providers from around the world are being invited to run their latest assessment tools at the Morgridge Institute for Research on the UW-Madison campus in a months-long series of tests to improve the quality and security of software assurance tools and open-source software.

The project will be led by the National Institute of Standards and Technology in collaboration with the Software Assurance Marketplace and U.S. Department of Homeland Security’s Science and Technology Directorate.

The effort is part of the fifth Static Analysis Tool Exposition. The exposition involves tool developers from around the world running their software assessment tools to see how many vulnerabilities they can pinpoint within millions of lines of computer code. The ultimate goal is to improve the security of software that underpins our nation’s energy, communications and economic infrastructure. 

“Keeping our infrastructure secure requires a sustained effort to enhance software analysis tools,” says Miron Livny, chief technology officer for the Software Assurance Marketplace (SWAMP), UW–Madison computer sciences professor, and director of core computational technology at the Morgridge Institute, where the tests will be run. “This event will demonstrate the ability of the continuous software assurance engine that powers the SWAMP research facility to support this effort.”

The ultimate goal is to improve the security of software that underpins our nation’s energy, communications and economic infrastructure.

Test suites, which are sure to have embedded vulnerabilities, will be selected by the Software Assurance Metrics and Tool Evaluation (SAMATE) team at the National Institute of Standards and Technology (NIST). Infrastructure to support the testing — known as virtual machines — will be hosted by SWAMP, a national research facility funded by Homeland Security’s Science and Technology Directorate. The virtual machines containing the test suites will be securely hosted for the tool providers during the testing period, which runs from June 1 to Aug. 31.

Analysis of the results by NIST will commence on Sept. 1 with organizers and teams expected to report and discuss their findings at a conference in March 2014. NIST will publish all the test suites and a final report later.

“We’re excited about the added strength and depth of this year’s exposition thanks to the participation of the major partners and the quality of the software assurance tools we expect will be run,” says Paul E. Black, a computer scientist and SAMATE project leader. “We’ve learned that improving the quality and security of software requires expertise in many areas. Automated access to computing power will make it easier for software developers to get additional assurance.” 

Kevin Greene, software assurance program manager with the directorate, says the Static Analysis Tool Exposition will advance the agency’s efforts to improve the nation’s cyber defenses. The event is expected to serve as a catalyst to create better-performing tools in the areas of quality and security, while enhancing the ability to perform software assessments.   

“Through collaborative efforts like this, we’re creating opportunities for leaders in the software community to come together, share best practices and contribute findings that strengthen software security,” Greene says.

The SWAMP research facility will host a suite of static analysis tools when it opens to the public in January 2014. At that time, SWAMP will begin working with the developers of new software analysis technologies and the open-source community to strengthen the security of software that controls everything from regional electric grids and communication networks to the databases that manage our personal records.