The Object Management Group® (OMG®), an international, open membership, not-for-profit technology standards consortium, has issued a Request for Comment (RFC) for the Tools Output Integration Framework™ (TOIF™), which seeks to create a common normalized format for representing the findings of multiple static code analysis tools. Both OMG members and non-members are invited to comment on this framework using the RFC comment form located at before the deadline of February 19, 2018. The most likely commenters include static code analysis (SCA) tool vendors, vulnerability analysis professionals, penetration testing teams, risk management professionals and third-party tool developers.

This press release features multimedia. View the full release here:

The proposed flow of the TOIF protocol and the TOIF ecosystem (Photo: Business Wire)

The proposed flow of the TOIF protocol and the TOIF ecosystem (Photo: Business Wire)

SCA tools help software developers manage the cybersecurity risk of their software. They scan source or machine code of the system under assessment and generate weakness finding reports. While many commercial and open source static code analysis tools are available today, each tool in the market excels in certain types of findings. In order to ensure the quality of their software and make it more resilient to cyber attacks, developers utilize tools from several vendors.

“TOIF will solve an important problem for developers by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the findings, since TOIF converts proprietary findings into a uniform, standards-based nomenclature,” said OMG Systems Assurance Task Force member and OMG Liaison to OASIS, Dr. Nikolai Mansourov, CTO of KDM Analytics. “TOIF defines a vendor-neutral platform for vulnerability analytics. TOIF also empowers companies to use open source SCA tools. Vendors of SCA tools may find it beneficial to plug into TOIF in order to play in an expanded market. Cyber security professionals, responsible for managing risks of software intensive systems, will find that TOIF-enabled SCA tools and TOIF-enabled analytics tools provide enhanced vulnerability detection capability that builds upon both commercial and open source tools. To ensure widespread support, TOIF is coordinated with other efforts within the software assurance community, including the Common Weakness Enumeration (CWE) and the OASIS SARIF.”

About OMG
The Object Management Group® (OMG®) is an international, open membership, not-for-profit technology standards consortium with representation from government, industry and academia. OMG Task Forces develop enterprise integration standards for a wide range of technologies and an even wider range of industries. OMG modeling standards enable powerful visual design, execution and maintenance of software and other processes. Visit for more information.

Note to editors: Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit All other trademarks are the property of their respective owners.