Management Group® (OMG®), an international, open membership,
not-for-profit technology standards consortium, has issued a Request for
Comment (RFC) for the Tools
Output Integration Framework™ (TOIF™), which seeks to create a
common normalized format for representing the findings of multiple
static code analysis tools. Both OMG members and non-members are invited
to comment on this framework using the RFC comment form located at http://www.omg.org/technology/rfc-form.htm
before the deadline of February 19, 2018. The most likely commenters
include static code analysis (SCA) tool vendors, vulnerability analysis
professionals, penetration testing teams, risk management professionals
and third-party tool developers.
This press release features multimedia. View the full release here:
The proposed flow of the TOIF protocol and the TOIF ecosystem (Photo: Business Wire)
SCA tools help software developers manage the cybersecurity risk of
their software. They scan source or machine code of the system under
assessment and generate weakness finding reports. While many commercial
and open source static code analysis tools are available today, each
tool in the market excels in certain types of findings. In order to
ensure the quality of their software and make it more resilient to cyber
attacks, developers utilize tools from several vendors.
“TOIF will solve an important problem for developers by providing a
uniform and vendor-neutral way of deploying and running multiple tools
on the same code base, disseminating and interpreting the findings,
since TOIF converts proprietary findings into a uniform, standards-based
nomenclature,” said OMG Systems Assurance Task Force member and OMG
Liaison to OASIS, Dr. Nikolai Mansourov, CTO of KDM Analytics. “TOIF
defines a vendor-neutral platform for vulnerability analytics. TOIF also
empowers companies to use open source SCA tools. Vendors of SCA tools
may find it beneficial to plug into TOIF in order to play in an expanded
market. Cyber security professionals, responsible for managing risks of
software intensive systems, will find that TOIF-enabled SCA tools and
TOIF-enabled analytics tools provide enhanced vulnerability detection
capability that builds upon both commercial and open source tools. To
ensure widespread support, TOIF is coordinated with other efforts within
the software assurance community, including the Common Weakness
Enumeration (CWE) and the OASIS SARIF.”
About OMG<br/>The Object Management Group® (OMG®) is an
international, open membership, not-for-profit technology standards
consortium with representation from government, industry and academia.
OMG Task Forces develop enterprise integration standards for a wide
range of technologies and an even wider range of industries. OMG
modeling standards enable powerful visual design, execution and
maintenance of software and other processes. Visit www.omg.org
for more information.
Note to editors: Object Management Group and OMG are registered
trademarks of the Object Management Group. For a listing of all OMG
trademarks, visit http://www.omg.org/legal/tm_list.htm.
All other trademarks are the property of their respective owners.
Article source - Business Wire, all right reserved. Copyright 2018
Trademarks, logos, pictures and other items may be copyright of firms mentioned in this article.