Ann McDonough
Object Management Group
+1-781-444 0404

Object Management Group Issues RFC for Tools Output Integration Framework (TOIF)
TOIF to provide a standards-based protocol for reporting source/machine code weaknesses for a uniform view of vulnerability information

Needham, MA – January 11, 2018 – The Object Management Group® (OMG®), an international, open membership, not-for-profit technology standards consortium, has issued a Request for Comment (RFC) for the Tools Output Integration Framework™ (TOIF™), which seeks to create a common normalized format for representing the findings of multiple static code analysis tools. Both OMG members and non-members are invited to comment on this framework using the RFC comment form located at https://www.omg.org/technology/rfc-form.htm before the deadline of February 19, 2018. The most likely commenters include static code analysis (SCA) tool vendors, vulnerability analysis professionals, penetration testing teams, risk management professionals and third-party tool developers.

SCA tools help software developers manage the cybersecurity risk of their software. They scan source or machine code of the system under assessment and generate weakness finding reports. While many commercial and open source static code analysis tools are available today, each tool in the market excels in certain types of findings. In order to ensure the quality of their software, and make it more resilient to cyber attacks, developers utilize tools from several vendors.

“TOIF will solve an important problem for developers by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the findings, since TOIF converts proprietary findings into a uniform, standards-based nomenclature,” said OMG Systems Assurance Task Force member Dr. Nikolai Mansourov, CTO of KDM Analytics. “TOIF defines a vendor-neutral platform for vulnerability analytics. TOIF also empowers companies to use open source SCA tools. Vendors of SCA tools may find it beneficial to plug into TOIF in order to play in an expanded market. Cyber security professionals, responsible for managing risks of software intensive systems, will find that TOIF-enabled SCA tools and TOIF-enabled analytics tools provide enhanced vulnerability detection capability that builds upon both commercial and open source tools. To ensure widespread support, TOIF is coordinated with other efforts within the software assurance community, including the Common Weakness Enumeration (CWE) and the OASIS SARIF.”

The proposed flow of the TOIF protocol and the TOIF ecosystem.

The proposed flow of the TOIF protocol and the TOIF ecosystem

About OMG
The Object Management Group® (OMG®) is an international, open membership, not-for-profit technology standards consortium with representation from government, industry and academia. OMG Task Forces develop enterprise integration standards for a wide range of technologies and an even wider range of industries. OMG's modeling standards enable powerful visual design, execution and maintenance of software and other processes. Visit www.omg.org for more information.


Note to editors: For a listing of all OMG trademarks, visit https://www.omg.org/legal/tm_list.htm. All other trademarks are the property of their respective owners.