CodeSonar in the SWAMP

February 5, 2019 Bill Graham

news.grammatech.comhubfsswamp

INTRODUCTION:

The Software Assurance Marketplace (SWAMP) is an open tool set designed to improve quality and security started by the Department of Homeland Security Science and Technology Directorate. Its goal is to lower the barrier to entry for software teams to do continuous software assurance in order to improve quality and security. GrammaTech has been working with the SWAMP team and CodeSonar is available as part of SWAMP. How does CodeSonar fit and what are the benefits for a developer?

Related:

CodeSonar in the SWAMP

The SWAMP is bringing the tools needed for continuous assurance (testing early, often and with each iteration) to open source and commercial projects. It's available "in the cloud" or as a set of tools you can install on your own servers. CodeSonar's role is to provide commercial quality, advanced static analysis for C and C++ code within the SWAMP framework. User projects are uploaded (or read from GitHub) for analysis and the selected tools analyze the code and provide results into a results viewer which are stored on a per-build (or per-upload) basis or on a schedule. Continuous assurance is supported by analyzing build versus build results differences. SWAMP provides a single point of use for diverse analysis tools and provides a common user interface and results viewer.

Real World Benchmarking for Static Analysis Tools

Software development and quality managers when trying to evaluating different static analysis tools struggle with objective means to compare each tool. GrammaTech, under contract for the Department of Homeland Security (DHS), has created independent real-world benchmarks that are now available in the Software Assurance Marketplace (SWAMP).

There are several existing synthetic benchmarks that can be used to measure how well static analysis tools perform in detecting bugs. However, these existing test suites have limitations with the code paths typically being too simple or allowing tool vendors the ability to tune their analysis engines to the benchmarks. GrammaTech, has created BugInjector, a tool that can inject Common Weakness Enumeration (CWE) based bug patterns into existing code bases, thus delivering real-world benchmarks. Four different real-world code bases (from the nginx, grep, sqlite, lighttpd open source projects) have been injected with bugs and are available through the Software Assurance Marketplace. With Buginjector, there is now a standardized way of benchmarking how well their static analysis tools are able to find these bugs in realistic code bases with the appropriate level of complexity. Fill out this form if you are interested in applying BugInjector on your own codebase.

Benefits for the Software Developer

What does SWAMP mean for the developer? To put it simply, a set of powerful tools in one place with an easy to user interface. What's not to love? Specifically, lets address the real payback:SWAMP.png

  • Improved quality and security: By using state of the art security and quality analysis tools, developers can find vulnerabilities in their code early and prevent them from creeping in throughout development. The user interface, the build over build results and the sophisticated analysis available makes it easy to justify. The ROI is large considering the low barrier to entry. 
  • Simple adoption of software assurance tools: SWAMP provides a simple to use, no-installation approach to adopting software assurance tools. It's easy to adopt and fits easily with any software development process. 
  • Continuous software assurance: One of SWAMP's main goals is to enable and encourage software assurance and improved security throughout the lifecycle. By lowering the cost and usability barriers to adoption, commercial and open source developers are motivated include software assurance tools into their development process. 


CONCLUSION:

GrammaTech is proud to be part of the SWAMP project and the role that CodeSonar plays. Lowering the barrier to entry for software assurance is a noble goal that results in improved quality and security.  


Interested in learning more? Read our guide "Advanced Static Analysis for C++"

 Read the Guide

Previous Article
Webinar with Arm & Wind River: Automotive Safety from the Ground Up: Hardware, OS and Static Analysis
Webinar with Arm & Wind River: Automotive Safety from the Ground Up: Hardware, OS and Static Analysis

  There are many different types of software systems in a car, each w...

Next Article
The Role of Static Application Security Tools (SAST) in DevSecOps
The Role of Static Application Security Tools (SAST) in DevSecOps

The term DevSecOps is a contraction of DevOps, itself a contraction of Developer Operations, and...