OMG Issues RFC for Tools Output Integration Framework

January 11, 2018

The Object Management Group has issued a Request for Comment (RFC) for the Tools Output Integration Framework™ (TOIF™), which seeks to create a common normalized format for representing the findings of multiple static code analysis tools. Both OMG members and non-members are invited to comment on this framework using the RFC comment form located at before the deadline of February 19, 2018. The most likely commenters include static code analysis (SCA) tool vendors, vulnerability analysis professionals, penetration testing teams, risk management professionals and third-party tool developers.

SCA tools help software developers manage the cybersecurity risk of their software. They scan source or machine code of the system under assessment and generate weakness finding reports. While many commercial and open source static code analysis tools are available today, each tool in the market excels in certain types of findings. In order to ensure the quality of their software, and make it more resilient to cyber attacks, developers utilize tools from several vendors.

The proposed flow of the TOIF protocol and the TOIF ecosystem.

“TOIF will solve an important problem for developers by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the findings, since TOIF converts proprietary findings into a uniform, standards-based nomenclature,” said OMG Systems Assurance Task Force member Dr. Nikolai Mansourov, CTO of KDM Analytics. “TOIF defines a vendor-neutral platform for vulnerability analytics. TOIF also empowers companies to use open source SCA tools. Vendors of SCA tools may find it beneficial to plug into TOIF in order to play in an expanded market. Cyber security professionals, responsible for managing risks of software intensive systems, will find that TOIF-enabled SCA tools and TOIF-enabled analytics tools provide enhanced vulnerability detection capability that builds upon both commercial and open source tools. To ensure widespread support, TOIF is coordinated with other efforts within the software assurance community, including the Common Weakness Enumeration (CWE) and the OASIS SARIF.”

Terms of Use | Copyright © 2002 - 2018 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement