OMG Issues RFC for Tools Output Integration Framework
January 11, 2018
Object Management Group has issued a Request for Comment (RFC) for the
Tools Output Integration Framework™ (TOIF™), which seeks to create a
common normalized format for representing the findings of multiple
static code analysis tools. Both OMG members and non-members are invited
to comment on this framework using the RFC comment form located at
before the deadline of February 19, 2018. The most likely commenters
include static code analysis (SCA) tool vendors, vulnerability analysis
professionals, penetration testing teams, risk management professionals
and third-party tool developers.
The proposed flow of the TOIF protocol and the TOIF ecosystem.
“TOIF will solve an important problem for developers by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the findings, since TOIF converts proprietary findings into a uniform, standards-based nomenclature,” said OMG Systems Assurance Task Force member Dr. Nikolai Mansourov, CTO of KDM Analytics. “TOIF defines a vendor-neutral platform for vulnerability analytics. TOIF also empowers companies to use open source SCA tools. Vendors of SCA tools may find it beneficial to plug into TOIF in order to play in an expanded market. Cyber security professionals, responsible for managing risks of software intensive systems, will find that TOIF-enabled SCA tools and TOIF-enabled analytics tools provide enhanced vulnerability detection capability that builds upon both commercial and open source tools. To ensure widespread support, TOIF is coordinated with other efforts within the software assurance community, including the Common Weakness Enumeration (CWE) and the OASIS SARIF.”