From continuous integration to continuous assurance

Abstract

Continuous assurance extends the concept of continuous integration into the software assurance space. The goal is to naturally integrate the security assessment of software into the software development workflow. The Software Assurance Marketplace (SWAMP) [1] was established to support continuous assurance, helping to simplify and automate the process of running code analysis tools, especially static code analysis (SCA) tools. We describe how the SWAMP can be integrated easily into the continuous assurance workflow, providing direct access from integrated development environments (IDEs) such as Eclipse, source code management systems such as git and Subversion, and continuous integration systems such as Jenkins.