Introduction to the TOIF 20171107 - OASIS | Advancing open ... · FICO FraunhoferFOKUS Fujitsu...

Dr. Nikolai MansourovCTO, KDM Analytics

Liaison to OASIS

Introduction to TOIF

November8,2017 Copyright©2017OMG.Allrightsreserved. 1

Who Is OMG?


ObjectManagementGroup(OMG)factlets:

• Founded in 1989 • 260+ member organizations worldwide• One of the largest and longest-standing not-for-profit, open-membership

consortia developing and maintaining computer industry specifications.• Continuously evolving to remain current while retaining a position of thought

leadership.

Developing Standards in:


Standards are developed using OMG’s mature, worldwide, open development process. With over 25 years of standards work, OMG’s one-organization, one-vote policy ensures that every vendor and end-user, large and small, has an effective voice in the process.

Best-Known Successes


Unified Modeling Language™Ø UML™, Ubiquitous visual modelling language applicable to designing any software system

Business Process Model and NotationØ BPMNTM provides businesses with the capability of understanding their internal business procedures.

Systems Modeling LanguageØ SysML™ supports the specification, analysis, design, and verification and validation of a broad range of complex systems.

Data Distribution ServiceØ DDSTM, Real-time, data-centric, publish-subscribe OMG specification for data distribution

Meta Object FacilityØ MOFTM, the repository standard

XML Metadata InterchangeØ XMI®, the standard for interchanging models

Knowledge Discovery MetamodelØ KDM, supports platform-independent, vendor-neutral representation of code and software systems

Who Are OMGers?


ACORD

AdaptiveAirbus Group

AIST

Appian

ASMG

AT&T

Benchmark Consulting

Boeing

Carnegie Mellon Univ.

CA Technologies

CollibraDeere & Company

Dell Technologies

DSTO

eProsima

FICO

Fraunhofer FOKUS

Fujitsu

General Dynamics

GE

Georgia TechiGrafx

IBM

InterPARES Trust

KDM Analytics

Lockheed Martin

MEGA International

Microsoft

MITRE

No Magic

Northrop GrummanOracle

Perry Ellis

PNA Group

PrismTech

ProSTEP iViP

PTC

QualiWare

Real Time Logic

Here is a sample of some of the hundreds of organizations OMG works with:

RTI

SAP SESeiko Epson

Software AG

Sparx Systems

State Street

THALES

The Aerospace Corporation

Thematix

Twin Oaks

Liaison Relationships

November8,2017 Copyright©2017OMG.Allrightsreserved.6

Organizational Structure


§ Business Architecture SIG

§ Liaison SC§ Model Interchange SIG§ Object & Reference

Model SC§ Spec Mgmt. SC

§ Agent PSIG§ A & D PTF§ ADM PTF§ Data Distribution

PSIG§ Methods & Related

Tools PSIG§ MARS PTF§ Ontology PSIG§ SysA PTF

§ BMI DTF§ C4I DTF§ Finance DTF§ Government Information

Sharing & Services DTF§ Healthcare DTF§ Mfg. Tech & Ind. Systems

DTF§ Mathematical Formalisms

DSIG§ Retail DTF§ Robotics DTF § Space DTF§ Sys Eng DSIG

Architecture Board Platform TC Domain TC

SystemsAssuranceTF


• Mission: Establishacommonframeworkforanalysisandexchangeofinformationrelatedtosystemassuranceandtrustworthiness.Thisframework,calledSystemsAssuranceEcosystem,focusesatsoftware-basedsystems,andfacilitatesassessmentsforcybersecurityandsafety.

• Strategy:LeverageandconnectexistingOMG/ISOandotherstandards,identifygapsanddevelopspecificationstoestablishend-to-endprotocols

• Unique group of experts:specialistsincybersecurity,safety,enterprisearchitectures,softwareanalysis,securityscientists,ontologists (clients,government,toolvendorsandacademia)

• LockheedMartin,Toyota,Fujitsu,USAirForce,MACE(Multi-AgencyCollaborationEnvironment),Mitre,UniversityofYork,AIST,NoMagic,Model-DrivenSolutions,KDMAnalytics

Interrelations of Assurance


MissionAssurance

SystemsAssurance(*The“-ilities”) Safety

Assurance(*The“-ilities”)

CyberAssurance

*The “-ilities”Reliability, Schedulability, Maintainability,Dependability,etc.

SoftwareAssurance

UPDM, UAF – modeling enterprise architecture, mission and system level, security controls

SysML– model-based systems engineering

SACM – representing the structured argument

KDM – representing software systems

CWE – informal enumeration of weaknesses

SFP – formal representation of discernable software weaknesses and patterns

CRAF – Unified Cyber Risk Assessment Framework

CAPEC – cyber attack patterns TOIF – representing weakness findings

Tools Output Integration Framework (TOIF)


• Problem: Effectiveandsystematicmeasurementofthecybersecurityrisksposedbysoftwarevulnerabilities

• Challenge• Oneofthekeychallengesisthatanalysissolutionconsistsofmultipletools,informationsourcesandservicesthatarecurrentlyfragmentedlackingintuitiveandefficientintegrationdueto• Inconsistencyinthenomenclatureofreportedweaknessescausedbyambiguityofweaknessdefinitions– inconsistencyininterpretationofCommonWeaknessEnumeration(CWE)instances

• Lackofagreementonwhatarethepartsofweaknesstoreport– whatconstitutesweaknessreport

• Lackofinteroperabilitythatisbasedoncommondefinitionofsystemartifacts

Tools Output Integration Framework (TOIF) protocol


Code

TOIFadaptors

TOIFintegration

TOIFrepository

TOIFbrowser

SCAtools

TOIForchestration

KDMtoolTOIFconsumers

TOIFproducers

Non-intrusive,Contributions

from both for vendors and clients

TOIF specification


TOIFadaptorSCAtool

TOIFConceptualModel

TOIFLogicalModel

TOIFXMIXSD

TOIFSegmentXMIinstance

InSBVR(non-normative)

InMOF/UML(normative)

transformationdefinedbyXMI

systematictransformation

TOIFConceptualandLogicalModels


TOIFXMIXSDandXMIInstance


TOIFXMIXSD(fragment) TOIFXMIinstance(fragment)

OverviewofTOIFNounConcepts


TOIFConceptualModel

TOIFBasicConcepts TOIFHousekeepingConcepts TOIFFact-OrientedConcepts

• Finding

• Code Location

• Weakness Type Identifier

• CWE Identifier

• SFP Identifier

• SFP Cluster

• Weakness Description

• File

• Directory

• Statement

• Data Element

• Build

• Tool

• Generator

• Adaptor

• Tool

• Project

• Organization

• Vendor

• Person

• Role

• TOIFSegment

• Fact

• Entity

• Attribute

• Record

• Build Record

• Compile Record

• Generator Record

• Basic Entity

• Housekeeping Entity

• Finding Fact

• Location Fact

• Semantic Fact

• Build Fact

• Project Fact

• Tool Fact

TOIFXMIExample


KnowledgeDiscoveryMetamodel (KDM)


ISO/IEC19506:2012

Sourcecode

ExecutableCode

KDMtool

SCAtool TOIFfacts

KDMfacts

Followup Topics


• Full presentation of the TOIF Abstract Structure• Full presentation of the TOIF Basic Entities and Facts • Full presentation of the TOIF Housekeeping Entities and

Facts• Orchestration of TOIF builds• Normalizing weakness types through CWE and SFP:

lessons learned• TOIF and KDM as a foundation for deep integration of

findings and code facts• TOIF and SFP: toward checkers parameterized with

standard formal weakness descriptions

Questions


Introduction to the TOIF 20171107 - OASIS | Advancing open ... · FICO FraunhoferFOKUS Fujitsu...

Documents

Transcript of Introduction to the TOIF 20171107 - OASIS | Advancing open ... · FICO FraunhoferFOKUS Fujitsu...