Zero in on cyber-system vulnerabilities
Blade TOIF (Tool Output Integration Framework) is a powerful software vulnerability detection platform. It provides a standards-based environment and integrates the outputs of multiple vulnerability analysis tools in a single uniform view of vulnerability information, with unified reporting. It leverages OMG Software Assurance Ecosystem standards, Software Fault Patterns (SFPs), and Common Weakness Enumerations (CWEs).
- Reference implementation for standard-based adaptors
- Further CWE normalization of vulnerability reports based on the Software Fault Patterns; adoption of SFPs
- Adoption of standard-based reporting of vulnerabilities
- Utilization of open source development to advance the SwA space
- A common protocol for exchanging vulnerability findings
- Based on existing standard protocol for exchanging system facts; the OMG Knowledge Discovery Metamodel (KDM), now ISO/IEC 19506.
Composite Vulnerability Analysis & Reporting
Blade TOIF’s plug-and-play environment provides a foundation for composite vulnerability analysis by normalizing, semantically integrating, and collating findings from existing vulnerability analysis tools. This improves the breadth and accuracy of individual off-the-shelf vulnerability analysis tools. It also provides developers and security analysts with a powerful vulnerability analysis and management environment for analyzing, reporting and fixing discovered weaknesses and vulnerabilities.
Out-off-the-box, Blade TOIF seamlessly integrates into the Eclipse Development Environment and with five open-source vulnerability analysis tools:
The Blade TOIF package includes two components: server/load build, and desktop deployments. Results from the server can be shared at all subscribed desktops. This eliminates the need to deploy all vulnerability analysis tools to the desktop.
Blade TOIF is offered on a per-seat subscription basis.
Blade TOIF Features & Options
|TOIF Open Source Software||Blade TOIF Server||Blade TOIF Desktop|
|Targeted to load build type of environment|
|SCA tools are run outside of TOIF environment and results are imported and merged inside TOIF|
|SCA tools run as command lines; results must be manually imported to Findings Viewer|
|Configurable prioritized reports|
|Export to .tsv format to view data in spreadsheet or import into Blade TOIF Desktop|
|Default confidence per tool per SFP/CWE|
|Targeted to integrated development environment (Eclipse) developers at the desktop|
|SCA tools are run within the integrated development environment (Eclipse); results are automatically passed to Report Viewer|
|SCA tools take compile environment (includes, defines, etc.) from integrated development environment (Eclipse) project file/settings|
|Installation wizard and preferences of SCA tools options|
|Thread pooling of some SCA tools|