Introduction to the TOIF 20171107 - OASIS | Advancing open ... · FICO FraunhoferFOKUS Fujitsu...
Transcript of Introduction to the TOIF 20171107 - OASIS | Advancing open ... · FICO FraunhoferFOKUS Fujitsu...
Dr. Nikolai MansourovCTO, KDM Analytics
Liaison to OASIS
Introduction to TOIF
November8,2017 Copyright©2017OMG.Allrightsreserved. 1
Who Is OMG?
November8,2017 Copyright©2017OMG.Allrightsreserved. 2
ObjectManagementGroup(OMG)factlets:
• Founded in 1989 • 260+ member organizations worldwide• One of the largest and longest-standing not-for-profit, open-membership
consortia developing and maintaining computer industry specifications.• Continuously evolving to remain current while retaining a position of thought
leadership.
Developing Standards in:
November8,2017 Copyright©2017OMG.Allrightsreserved. 3
Standards are developed using OMG’s mature, worldwide, open development process. With over 25 years of standards work, OMG’s one-organization, one-vote policy ensures that every vendor and end-user, large and small, has an effective voice in the process.
Best-Known Successes
November8,2017 Copyright©2017OMG.Allrightsreserved. 4
Unified Modeling Language™Ø UML™, Ubiquitous visual modelling language applicable to designing any software system
Business Process Model and NotationØ BPMNTM provides businesses with the capability of understanding their internal business procedures.
Systems Modeling LanguageØ SysML™ supports the specification, analysis, design, and verification and validation of a broad range of complex systems.
Data Distribution ServiceØ DDSTM, Real-time, data-centric, publish-subscribe OMG specification for data distribution
Meta Object FacilityØ MOFTM, the repository standard
XML Metadata InterchangeØ XMI®, the standard for interchanging models
Knowledge Discovery MetamodelØ KDM, supports platform-independent, vendor-neutral representation of code and software systems
Who Are OMGers?
November8,2017 Copyright©2017OMG.Allrightsreserved. 5
ACORD
AdaptiveAirbus Group
AIST
Appian
ASMG
AT&T
Benchmark Consulting
Boeing
Carnegie Mellon Univ.
CA Technologies
CollibraDeere & Company
Dell Technologies
DSTO
eProsima
FICO
Fraunhofer FOKUS
Fujitsu
General Dynamics
GE
Georgia TechiGrafx
IBM
InterPARES Trust
KDM Analytics
Lockheed Martin
MEGA International
Microsoft
MITRE
No Magic
Northrop GrummanOracle
Perry Ellis
PNA Group
PrismTech
ProSTEP iViP
PTC
QualiWare
Real Time Logic
Here is a sample of some of the hundreds of organizations OMG works with:
RTI
SAP SESeiko Epson
Software AG
Sparx Systems
State Street
THALES
The Aerospace Corporation
Thematix
Twin Oaks
Liaison Relationships
November8,2017 Copyright©2017OMG.Allrightsreserved.6
Organizational Structure
November8,2017 Copyright©2017OMG.Allrightsreserved. 7
§ Business Architecture SIG
§ Liaison SC§ Model Interchange SIG§ Object & Reference
Model SC§ Spec Mgmt. SC
§ Agent PSIG§ A & D PTF§ ADM PTF§ Data Distribution
PSIG§ Methods & Related
Tools PSIG§ MARS PTF§ Ontology PSIG§ SysA PTF
§ BMI DTF§ C4I DTF§ Finance DTF§ Government Information
Sharing & Services DTF§ Healthcare DTF§ Mfg. Tech & Ind. Systems
DTF§ Mathematical Formalisms
DSIG§ Retail DTF§ Robotics DTF § Space DTF§ Sys Eng DSIG
Architecture Board Platform TC Domain TC
SystemsAssuranceTF
November8,2017 Copyright©2017OMG.Allrightsreserved. 8
• Mission: Establishacommonframeworkforanalysisandexchangeofinformationrelatedtosystemassuranceandtrustworthiness.Thisframework,calledSystemsAssuranceEcosystem,focusesatsoftware-basedsystems,andfacilitatesassessmentsforcybersecurityandsafety.
• Strategy:LeverageandconnectexistingOMG/ISOandotherstandards,identifygapsanddevelopspecificationstoestablishend-to-endprotocols
• Unique group of experts:specialistsincybersecurity,safety,enterprisearchitectures,softwareanalysis,securityscientists,ontologists (clients,government,toolvendorsandacademia)
• LockheedMartin,Toyota,Fujitsu,USAirForce,MACE(Multi-AgencyCollaborationEnvironment),Mitre,UniversityofYork,AIST,NoMagic,Model-DrivenSolutions,KDMAnalytics
Interrelations of Assurance
November8,2017 Copyright©2017OMG.Allrightsreserved. 9
MissionAssurance
SystemsAssurance(*The“-ilities”) Safety
Assurance(*The“-ilities”)
CyberAssurance
*The “-ilities”Reliability, Schedulability, Maintainability,Dependability,etc.
SoftwareAssurance
UPDM, UAF – modeling enterprise architecture, mission and system level, security controls
SysML– model-based systems engineering
SACM – representing the structured argument
KDM – representing software systems
CWE – informal enumeration of weaknesses
SFP – formal representation of discernable software weaknesses and patterns
CRAF – Unified Cyber Risk Assessment Framework
CAPEC – cyber attack patterns TOIF – representing weakness findings
Tools Output Integration Framework (TOIF)
November8,2017 Copyright©2017OMG.Allrightsreserved. 10
• Problem: Effectiveandsystematicmeasurementofthecybersecurityrisksposedbysoftwarevulnerabilities
• Challenge• Oneofthekeychallengesisthatanalysissolutionconsistsofmultipletools,informationsourcesandservicesthatarecurrentlyfragmentedlackingintuitiveandefficientintegrationdueto• Inconsistencyinthenomenclatureofreportedweaknessescausedbyambiguityofweaknessdefinitions– inconsistencyininterpretationofCommonWeaknessEnumeration(CWE)instances
• Lackofagreementonwhatarethepartsofweaknesstoreport– whatconstitutesweaknessreport
• Lackofinteroperabilitythatisbasedoncommondefinitionofsystemartifacts
Tools Output Integration Framework (TOIF) protocol
November8,2017 Copyright©2017OMG.Allrightsreserved. 11
Code
TOIFadaptors
TOIFintegration
TOIFrepository
TOIFbrowser
SCAtools
TOIForchestration
KDMtoolTOIFconsumers
TOIFproducers
Non-intrusive,Contributions
from both for vendors and clients
TOIF specification
November8,2017 Copyright©2017OMG.Allrightsreserved. 12
TOIFadaptorSCAtool
TOIFConceptualModel
TOIFLogicalModel
TOIFXMIXSD
TOIFSegmentXMIinstance
InSBVR(non-normative)
InMOF/UML(normative)
transformationdefinedbyXMI
systematictransformation
TOIFConceptualandLogicalModels
November8,2017 Copyright©2017OMG.Allrightsreserved. 13
TOIFXMIXSDandXMIInstance
November8,2017 Copyright©2017OMG.Allrightsreserved. 14
TOIFXMIXSD(fragment) TOIFXMIinstance(fragment)
OverviewofTOIFNounConcepts
November8,2017 Copyright©2017OMG.Allrightsreserved. 15
TOIFConceptualModel
TOIFBasicConcepts TOIFHousekeepingConcepts TOIFFact-OrientedConcepts
• Finding
• Code Location
• Weakness Type Identifier
• CWE Identifier
• SFP Identifier
• SFP Cluster
• Weakness Description
• File
• Directory
• Statement
• Data Element
• Build
• Tool
• Generator
• Adaptor
• Tool
• Project
• Organization
• Vendor
• Person
• Role
• TOIFSegment
• Fact
• Entity
• Attribute
• Record
• Build Record
• Compile Record
• Generator Record
• Basic Entity
• Housekeeping Entity
• Finding Fact
• Location Fact
• Semantic Fact
• Build Fact
• Project Fact
• Tool Fact
TOIFXMIExample
November8,2017 Copyright©2017OMG.Allrightsreserved. 16
KnowledgeDiscoveryMetamodel (KDM)
November8,2017 Copyright©2017OMG.Allrightsreserved. 17
ISO/IEC19506:2012
Sourcecode
ExecutableCode
KDMtool
SCAtool TOIFfacts
KDMfacts
Followup Topics
November8,2017 Copyright©2017OMG.Allrightsreserved. 18
• Full presentation of the TOIF Abstract Structure• Full presentation of the TOIF Basic Entities and Facts • Full presentation of the TOIF Housekeeping Entities and
Facts• Orchestration of TOIF builds• Normalizing weakness types through CWE and SFP:
lessons learned• TOIF and KDM as a foundation for deep integration of
findings and code facts• TOIF and SFP: toward checkers parameterized with
standard formal weakness descriptions
Questions
November8,2017 Copyright©2017OMG.Allrightsreserved. 19