SWAMP Center to Promote Open Source Code Security, Vulnerability

Starting early next year, open source software developers will have a new resource for making sure their code is secure and combatting cybercrime in the form of the Software Assurance Marketplace, or SWAMP. The effort, which represents a collaboration between a major university and the federal government—specifically, the Department of Homeland Security (DHS)—will offer assurance tools to the open source developer community.

The SWAMP will be hosted by the Morgridge Institute for Research in Madison, Wisconsin, which is associated with the University of Wisconsin at Madison.  It will allow developers to upload their code and test it for vulnerabilities. Funding comes from a $25 million grant from the DHS—which, as an organization not exactly known for championing privacy, may give some open source developers pause. But hey, at least it's not the National Security Agency.

And while the federal government is playing a central role in the development of the SWAMP, the resources it will provide will be open to all segments of the open source community (including, by every indication so far, those not in the United States). "Everyone from a major corporate developer to the guy writing code in his basement is welcome to come in and assess with us," said Patrick Beyer, project manager for the SWAMP.

Of course, many open source developers might take issue with the underlying assumption of the SWAMP, which (according to a statement announcing the center) is that "awareness of how to protect open source code from malicious intent has not kept pace" with the widespread adoption of open source applications. In contrast, the "all bugs are shallow" principle at the core of the open source ethos suggests that open source code is actually likely to be more secure than proprietary alternatives—which, in any case, are difficult to test publicly for vulnerabilities because they are closed.

Still, the SWAMP stands out as one of the first major efforts to create a public, centralized hub for developing and distributing software assurance tools for open source developers. Plenty of code auditing tools already exist, but the SWAMP aims to make them available in a uniform way. Its broader goal, it said, is to help build "an assurance culture to improve software running everything from the national power grid to medical devices and medical records."

The SWAMP will begin beta testing this month (which, incidentally, is Cyber Security Awareness Month in the state of Wisconsin—who knew?) and aims to be up and running by Jan. 27, 2014.