Presentation is loading. Please wait.

Presentation is loading. Please wait.

WELCOME!  The live event will begin at 2PM ET.  Q&A sessions with the presenters will follow.  Please have your speakers turned on.  Do you hear the.

Published byJohn Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "WELCOME!  The live event will begin at 2PM ET.  Q&A sessions with the presenters will follow.  Please have your speakers turned on.  Do you hear the."— Presentation transcript:

1 WELCOME!  The live event will begin at 2PM ET.  Q&A sessions with the presenters will follow.  Please have your speakers turned on.  Do you hear the music?  Tweet with us live @SWAMPTEAM @TENandISE

2 YOUR GUIDE THROUGH THE SWAMP: AVOIDING PREDATORS IN A MURKY WORLD May 22, 2014 SWAMP is funded by Department of Homeland Security, Science and Technology Directorate, Cyber Security Division (CSD)

3 AGENDA  Agenda:  2:00pm EST – Welcome Remarks – Marci McCarthy  2:05pm EST – An Ounce of Prevention is Worth a Pound of Blood – Arthur Hicken  2:20pm EST – How YOU can use SWAMP / Demonstration – Miron Livny & Irene Landrum  2:40pm EST – Q&A  3:00pm EST – Program Conclusion  You may earn 1CPE for this event. If you would like us to submit on your behalf, please email your certification number to Deb Jones at djones@ten-inc.com.

4 AN OUNCE OF PREVENTION IS WORTH A POUND OF BLOOD Arthur Hicken (aka the Code Curmudgeon) Evangelist Parasoft Corporation

5 FLOW ANALYSIS IS HARD  Path limitations  Flavor-of-the-month  Incomplete coverage  False negatives  Tracking pointers

6 AN OUNCE OF PREVENTION  Which would you prefer? Prevention Your software is secure – Have a great day! Prevention Your software is secure – Have a great day! Early Detection You have security problems. Fixing them will delay your release. You don’t have time to address the root cause, so you’ll have to triage which things you can fix and just patch some of them. Early Detection You have security problems. Fixing them will delay your release. You don’t have time to address the root cause, so you’ll have to triage which things you can fix and just patch some of them.

7 PREVENTATIVE STANDARDS EXAMPLES Object-Oriented Avoid "public"/"protected"/package-private instance fields Do not override an instance "private" method Do not hide inherited fields Best Practices Avoid returning "handles" to internal data from const member functions. Declare at least one constructor to prevent the compiler from doing so. Declare reference parameters as const references whenever possible Unused Code Avoid unused local variables Avoid unused "private" fields Class Metrics Follow the limit for Cyclomatic Complexity (default<30) Follow the limit for number of “ " fields (private,etc.) Follow the limit on class hierarchy depth

8 CONTEXT IS EVERYTHING  The important rules  The right code  Static analysis config  Code review  Regression  QA  Field bugs Set error prevention criteria Detect error(s) and isolate the cause Locate production point in the process of the error Update error prevention criteria and/or process Monitor for improvements via metrics gathering and reporting

9 HEARTBLEED FOUND

10 HEARTBLEED AVOIDED MISRA C 2004 20.3 “The validity of values passed to library functions shall be checked” CWE-20 “Improper input validation” CWE-114 “Process control” CWE-125 “Out-of-bounds read” CWE-130 “Improper handling of length parameter inconsistency”

11 CLEAN YOUR CODE – IN THE SWAMP  Easy to setup  The price is right  Run early, run often  Each tool is different  More is better

12 An Open Continuous Assurance Facility Miron Livny Director and CTO of the SWAMP Morgridge Institute for Research

13 Comprehensive Vision 13 Our target customers are all the members of the Software Assurance (SwA) eco-system – tool developers, software developers, facility managers, researchers, and educators. The community needs a continuous assurance facility that will enable significant improvement in the quality of SwA tools and will lead to a broader adoption of SwA tools and SwA methodologies. While protecting the confidentiality of your data and your privacy, the SWAMP can help you: Identify new (possible) defects in your software every time you commit a change Identify new (possible) defects in a software/library/module you are using every time a new version is released Profile the ability of your SwA tool to identify (possible) software defects every time you commit a change Expose your tools and software to the SwA community SWAMP Vision Document

14 Open to a Diverse Community On 02/02/14, the Software Assurance Marketplace went “live” through a public web interface.  Five public static assessment tools (two public and one private tool added)  State-of-the-art viewer of assessment results  “Plumbing” that simplifies access to SwA tools  A hundred software packages (more than 350 today, 286 of which are from the NIST Juliet Test Suite)  Secure and dependable facility  Access to powerful computing capabilities ( 700 cores, 5 TB of RAM, 104 TB of HDD space, off site backup, state of the art networking)  Provides a framework for building and managing SwA projects  Supports managed access (sharing) to tools, packages, and results 14

15 A Team Effort Designing, building, and operating the SWAMP is a joint effort of four research institutions – Morgridge Institute for Research (lead), Indiana University, University of Illinois Urbana Champaign, and University of Wisconsin – Madison. 15 Miron Livny, MIR Jim Basney, UIUC Bart Miller, UW Von Welch, IU

16 Open & Evolving Framework To meet the diverse and ever-changing needs and expectations of the different groups that compose the software assurance eco-system, a framework that offers an environment with the following key elements is required: New software packages can be added easily New tools can be added easily and efficiently Support for tools that integrate and interpret the output of software assurance tools Access to software products and assessment results at all levels Understanding the process of software assessment 16 Evolving Framework White Paper

17 A Balancing Act The SWAMP needs to strike a balance between competing forces: Easy access vs. legitimate use A few big, long-lived projects vs. many small, short-lived projects Public domain vs. commercial tools Web access vs. API access Mobile applications vs. server applications Neutrality vs. offering guidance and ranking 17

18 DO IT EARLY AND DO IT OFTEN! 18

19 ANY QUESTIONS?

20 THANK YOU FOR ATTENDING! An on-demand version of today’s event with Q&A session will be available soon for you and your colleagues. An announcement will be emailed when the on-demand version premiers.

Download ppt "WELCOME!  The live event will begin at 2PM ET.  Q&A sessions with the presenters will follow.  Please have your speakers turned on.  Do you hear the."

Similar presentations

A Taste of Visual Studio 2005 David Grey. Introduction In this session we will introduce Visual Studio 2005 and its features and examine those features.

A Taste of Visual Studio 2005 David Grey. Introduction In this session we will introduce Visual Studio 2005 and its features and examine those features.
A transformative force in the software eco-system Welcome! The live event will begin at 2PM ET. Q&A sessions with the presenters will follow. Please have.

A transformative force in the software eco-system Welcome! The live event will begin at 2PM ET. Q&A sessions with the presenters will follow. Please have.
Automated Software Testing: Test Execution and Review Amritha Muralidharan (axm16u)

Automated Software Testing: Test Execution and Review Amritha Muralidharan (axm16u)
Copyright  2002, Medical Present Value, Inc. All rights reserved. Copyright © 2010 Texas Education Agency. All rights reserved. TEA confidential and proprietary.

Copyright  2002, Medical Present Value, Inc. All rights reserved. Copyright © 2010 Texas Education Agency. All rights reserved. TEA confidential and proprietary.
A transformative force in the software eco-system Welcome! The live event will begin at 2PM ET. A Q&A session with the presenters will follow. Please have.

A transformative force in the software eco-system Welcome! The live event will begin at 2PM ET. A Q&A session with the presenters will follow. Please have.
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Open Security Technology Washington, DC February 11, 2011 Dept. of Homeland Security Science & Technology Directorate Luke Berndt Program Manager.

Open Security Technology Washington, DC February 11, 2011 Dept. of Homeland Security Science & Technology Directorate Luke Berndt Program Manager.
How to Optimize Your Existing Regression Testing Arthur Hicken May 2012.

How to Optimize Your Existing Regression Testing Arthur Hicken May 2012.
Making Condor Safer with… A Collaborative Marketplace for Continuous Software Assurance Brooklin Gore, Chief Operations Officer

Making Condor Safer with… A Collaborative Marketplace for Continuous Software Assurance Brooklin Gore, Chief Operations Officer
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Red Hat Linux Network. Red Hat Network Red Hat Network is the environment for system- level support and management of Red Hat Linux networks. Red Hat.

Red Hat Linux Network. Red Hat Network Red Hat Network is the environment for system- level support and management of Red Hat Linux networks. Red Hat.
Illinois Institute of Technology

Illinois Institute of Technology
ASP.NET Programming with C# and SQL Server First Edition

ASP.NET Programming with C# and SQL Server First Edition
Introduction to Software Testing

Introduction to Software Testing
Comp 587 Parker Li Bobby Kolski. Automated testing tools assist software engineers to gauge the quality of software by automating the mechanical aspects.

Comp 587 Parker Li Bobby Kolski. Automated testing tools assist software engineers to gauge the quality of software by automating the mechanical aspects.
ClubRunner Connect. Communicate. Collaborate. ClubRunner and Rotary International Database Integration Introduction and Overview Introduced: November 2010.

ClubRunner Connect. Communicate. Collaborate. ClubRunner and Rotary International Database Integration Introduction and Overview Introduced: November 2010.
PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.

PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Proprietary and Confidential 1. College Registration 2. College as Receiver 3. College as Sender Postsecondary Demonstrations.

Proprietary and Confidential 1. College Registration 2. College as Receiver 3. College as Sender Postsecondary Demonstrations.

Similar presentations

Ads by Google