SWAP report and defense software
October 15, 2022

SWAP Report for Defense Software Overview

Static Analysis
Security & Compliance

In May 2019, the Defense Innovation Board (DIB) published the Software Acquisition and Practices (SWAP) report. Influenced by those findings, Perforce surveyed more than 300 aerospace and defense software development professionals to better understand the current challenges that they face. The findings of that survey were published in The State of Aerospace and Defense Software Development.

As technology continues to evolve, so do the challenges developers face in aerospace and defense software development. A top concern is cybersecurity. Perforce recently published a white paper about How to Improve Cybersecurity for Tomorrow's Aerospace and Defense Needs.

Choosing the right software development tools can help overcome some of the most prevalent challenges in defense software development.

Read along or jump ahead to the section that interests you the most:

➡️ start Your Static Code Analysis Free Trial

Back to top

What Is the SWAP Report?

The DIB’s SWAP report was an 18-month study into how to develop, procure, assure, deploy, and continuously improve software for use in the Department of Defense. It explained that the ability of the Department of Defense (DoD) to adapt and respond to threats will now be determined by its ability to rapidly develop and deploy software to the field.

SWAP Report Key Findings

In addition, that ability to develop, procure, assure, deploy, and continuously improve software is central to national (US) defense. Yet, the threats that the United States faces are changing at an ever-increasing pace, and the Department of Defense’s (DoD’s) ability to adapt and respond is now determined by its ability to develop and deploy software to the field rapidly

Unfortunately, the SWAP report found that “the current approach to software development is broken and is a leading source of risk to DoD”. Based on its research, the SWAP report outlined the external and self-inflicted barriers DoD faces in implementing modern software practices and lays out steps to address current gaps.

Back to top

What Are the Themes of the SWAP Report?

There are three fundamental themes that the SWAP report emphasizes

1. Speed and Cycle Time Are The Most Important Metrics

To maintain an advantage, DoD needs to procure, deploy, and update software that works for its users at the speed of mission need, executing more quickly than our adversaries.

Statutes, regulations, and cultural norms that get in the way of deploying software to the field quickly weaken our national security and expose our nation to risk.

2. Defense Software Is Made by People and For People

DoD’s current personnel processes and culture will not allow its military and civilian software capabilities to grow nearly fast or deep enough to meet its mission needs.

New mechanisms are needed for attracting, educating, retaining, and promoting digital talent and for supporting the workforce to follow modern practices, including developing software hand in hand with users.

3. Defense Software Is Different Than Hardware

Hardware can be developed, procured, and maintained in a linear fashion. Defense software is an enduring capability that must be supported and continuously improved throughout its life cycle.

DoD must streamline its acquisition process and transform its culture to enable effective delivery and oversight of multiple types of software-enabled systems, at scale, and at the speed of relevance.

Back to top

What Are the SWAP Report’s Recommendations for Defense Software Development?

One of the key pieces of guidance that the SWAP report lays out is to “change the practice of how software is procured and developed.”

The overriding theme of that piece of guidance is one of cultural change.

“..the software industry has already implemented and demonstrated the utility of the types of changes we envision. The problem appears to be in getting the military enterprise to adopt a software mindset and implement a DevSecOps approach in a system that was intended to make sure that things would not move too quickly."

Key recommendations for this line of effort are summarized as:

Require Access to Source Code, Software Frameworks, and Development Toolchains

The desired state is that DoD has access to source code for DoD-specific software systems that it operates and uses to perform a detailed (and automated) evaluation of software correctness, security, and performance, enabling more rapid deployment of both initial software releases and (most important) upgrades (patches and enhancements).

DoD is able to rebuild executables from scratch for all of its systems and has the rights and ability to modify (DoD-specific) code when new conditions and features arise.

At the same time contractors need to use licensing agreements that protect any IP that they have developed with their own resources. Industry trusts DoD with its code and has appropriate IP rights for internally developed code.

The best version control systems give administrators many granular ways to control access to code for compliance and governance.  For example, with Helix Core, you can define access rights for users, groups, and programs.

Make Security a First-Order Consideration for all Software-Intensive Systems

Current DoD systems often rely on security-at-the-perimeter as a means of protecting code from unauthorized access. If this perimeter is breached, then a large array of systems can be compromised.

Multiple reports by the GAO, the Department of Defense Office of Inspector General (DoDIG), and other agencies have identified cybersecurity as a major issue in acquisition programs.

The desired future state is that DoD systems use a zero-trust security model in which it is not assumed that anyone who can gain access to a given network or system should have access to anything within that system.

In addition to access control, the report recommends that code is routinely scanned against currently known vulnerabilities and that regular, automated penetration testing is performed.

Static code analysis supports secure software development because half of all security defects are introduced at the source code level. So, finding and fixing bugs as soon as code is written is critical.

But, many developers lack security training. And, identifying security problems during a code review can be difficult, if not impossible. Security mistakes can be subtle and easy to overlook even for trained developers. Static code analysis tools can bridge that knowledge gap.

Shift From the use of Rigid Lists of Requirements for Software Programs to a List of Desired Features and Required Interfaces

Current DoD requirements processes significantly impede its ability to implement modern defense software development practices by forcing programs to spend years establishing requirements and insisting on the satisfaction of requirements before a project is considered “done”. This impedes the rapid implementation of features that are of the greatest value to the user.

The desired state is that rather than a list of requirements for every feature, programs should establish a minimum set of requirements required for initial operation, security, interoperability, and place all other desired features on a list that will be implemented in priority order, with the ability for DoD to redefine priorities on a regular basis.

For any reasonably sized project, you need a tool to manage, track, and help to prioritize requirements. This is best done within a comprehensive — yet easy-to-use — application lifecycle management suite.

Back to top

A Modern DevOps Approach for Defense Software

The SWAP report shows that there is some way to go in the way the United States DoD views software procurement and development, but we see that many organizations are already well along the journey to mature DevSecOps operations.

The DevSecOps philosophy is built around agile development concepts with built-in security, continuous integration, and automated testing. Hundreds of the most successful organizations are already using Perforce products as key components of their DevSecOps infrastructure.

Helix Core is the best version control for world-class development at scale. It securely versions all digital content — even large files — in a single repository. It scales for large teams, handles 1000s of daily transactions, and delivers files quickly to remote users.

Helix ALM simplifies traceability for complex product development.

Perforce static code analyzersHelix QAC and Klocwork — are used by the world’s top 8 global defense contractors. They have evolved over 30 years to be recognized as the most accurate and precise.

➡️ register For Static Code Analysis Free Trial

Back to top