openPR Logo
Press release

Industry leaders collaborate to define SARIF interoperability standard for detecting software defects and vulnerabilities

10-12-2017 05:25 PM CET | IT, New Media & Software

Press release from: OASIS Open

Common data format for static analysis tools is being advanced by CA Technologies, Cryptsoft, FireEye, GrammaTech, Hewlett Packard Enterprise (HPE), Micro Focus, Microsoft, New Context, Phantom, RIPS, SWAMP, Synopsys, U.S. DHS, U.S. NIST, and others.

12 October 2017 – Members of the OASIS nonprofit consortium are working together to define an international interoperability standard for static analysis. The goal is to make it easier for software developers to assess the quality and security of their programs by aggregating data from multiple tools.

The new OASIS Static Analysis Results Interchange Format (SARIF) Technical Committee brings together major software companies, cybersecurity providers, government, security orchestration specialists, programmers, and consultants to agree on a data format that will be parseable by tools across the industry.

"At a time when more corporate value – and liability – is being driven by software, organizations need new ways to efficiently improve the quality and security of their systems," said Chris Rommel, executive vice president of VDC Research. “With SARIF, they will be able to do just that and better leverage the combined, unique insights available from the range of static analysis solutions available today.”

"SARIF represents a leap forward in the usability of static analysis tools,” said David Keaton, co-chair of the OASIS SARIF Technical Committee. “Many organizations in the safety and security communities use several competing tools on their code. SARIF will allow them to combine and compare the results more easily to gain a sharper picture of the issues in their code that need to be addressed."

SARIF co-chair, Luke Cartey of Semmle, agreed, “With SARIF, engineering teams will have easy access to a broad range of potential defects and vulnerabilities in compliance with a range of privacy and accessibility standards. SARIF will support the development of products whose code spans languages and operating systems.”

“I’m impressed by the traction we’re already seeing for SARIF and by the companies driving this work,” said Laurent Liscia, CEO and executive director of OASIS. “Clearly, people involved in static analysis appreciate the need for interoperability, and they are committed to making it happen with SARIF.”

Participation in the SARIF Technical Committee is open to all through membership in OASIS. Providers of static analysis tools, developers of Integrated Development Environments (IDEs), conversion tool vendors, software developers, and others impacted by this work are invited to join the group.

Support for SARIF

GrammaTech VP of Engineering, Paul Anderson, said, “SARIF fills an important gap in software engineering tools. It enables the integration of static-analysis tool results in a plug-and-play manner into a highly-automated software development ecosystem. It has the potential to lower the cost of static-analysis tool adoption, which will benefit both tool vendors and tool users alike."

Micro Focus VP of Product Management, Jason Schmitt, said, “It is important that developers have static analysis solutions that are standardized and interoperable to not disrupt the software development lifecycle when using several tools. As an active participant in the SARIF Technical Committee, we are committed to helping to drive this standard for static analysis and determine a consistent data format for easily comparing and managing results.”

Microsoft Principal Software Engineer Manager, Michael C. Fanning, said, “SARIF’s cost reductions speak to programming leads because they can’t afford to short-change quality due to limited bandwidth or budgets. Advanced analysis techniques, such as machine learning, favor more inputs not fewer. And so there’s a clear need for a format like SARIF that reduces the cost of merging code quality data from many sources.”

RIPS Technologies CEO, Johannes Dahse, said "Developers need a standard output format from static analysis tools in order to evaluate and compare different analysis results in the same way. That way they can learn and grow, and work together to build more secure applications. Moreover, a standard enables easy combination and integration of results from multiple tools. RIPS Technologies is proud to be part of the technical committee and is proud to help build the SARIF standard."

U.S. Department of Homeland Security Software Assurance Program Manager, Kevin E. Greene, said "DHS S&T is a huge supporter of SARIF because it builds upon our initial investments in technologies like Code Dx, Thread Fix, and Tool Output Integration Framework (TOIF), all designed to create workflows for developers to use multiple static analysis tools to increase the fidelity of results. SARIF is the realization that the sum of many is better than the sum of one."

More information

OASIS SARIF Technical Committee

# # #

Media inquiries:; +1.941.284.0403

OASIS is a non-profit, international consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for cyber security, privacy, cloud computing, IoT, SmartGrid, and other areas. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology. OASIS members broadly represent the marketplace of public and private sector technology leaders, users, and influencers. The consortium has more than 5,000 participants representing over 600 organizations and individual members in 65+ countries.

Box 3500
Burlington, MA USA 01821

This release was published on openPR.

Permanent link to this press release:

Please set a link in the press area of your homepage to this press release on openPR. openPR disclaims liability for any content contained in this release.

You can edit or delete your press release Industry leaders collaborate to define SARIF interoperability standard for detecting software defects and vulnerabilities here

News-ID: 770967 • Views: 693

More Releases from OASIS Open

XLIFF Localization Standard Gains International Acceptance with Approvals from O …
IBM, Microsoft, Oracle, SDL, Trinity College Dublin (ADAPT), and Others Advance Interoperability Standard for Commercial and Open Source Localization Tools The XML Localization Interchange File Format (XLIFF) XLIFF 2.1 has been approved by the OASIS open development organization as an official OASIS Standard, a status that signifies the highest level of ratification. The International Organization for Standardization (ISO) has also approved XLIFF for release under the designation 'ISO 21720:2017'. XLIFF gives any multilingual
Cybersecurity leader, Richard Struse of MITRE, joins OASIS Board of Directors
Creator of STIX and TAXII threat intelligence sharing standards takes on leadership role in global standards organization. 15 February 2018 – The OASIS international standards body welcomes one of the pioneers of automated cybersecurity information sharing, Richard Struse, to its Board of Directors. Chief Strategist of Cyber Threat Intelligence at the MITRE Corporation, Struse chairs the OASIS Cyber Threat Intelligence (CTI) Technical Committee. His new position on the Board reflects the
OASIS Announces Successful Completion of Web Services Interoperability (WS-I) Me …
The WS-I Member Section within OASIS will conclude operations at the end of 2017. Formed in February 2002, the group championed Best Practices for web services interoperability by developing a comprehensive set of Web Services Profiles, Sample Applications and Testing Tools. Three of the Profiles became ISO Standards. In 2011, WS-I became a Member Section within the OASIS open standards consortium. "WS-I was instrumental in advancing interoperability in the web services marketplace.
International Community Comes Together at OASIS to Advance OpenC2 Standard for A …
Anomali, Arbor Networks, Centripetal, Cisco, Cryptsoft, EclecticIQ, FireEye, ForeScout, Fornetix, FS-ISAC, G2, IBM, LookingGlass, McAfee, NC4, NEC, New Context, Phantom, Swimlane, Tanium, ThreatQuotient, U.S. DoD, U.S. NSA, U.S. NIST, and Others Define Open Command and Control (OpenC2) 5 Sept 2017 – Organizations and government agencies from Asia, Australia, Europe, and the U.S. are joining forces to advance a standardized language for cyber operations command and control. The work of the new

All 5 Releases

More Releases for SARIF

the future of the action thriller is female!
Award winning female director/producer team, Shamim Sarif and Hanan Kattan to bring a powerful female presence to a previously male dominated genre. Award winning film company Enlightenment Productions announced today that it is raising funds via a crowdfunding campaign on Kickstarter to finish the pre-production development of their revolutionary new female-centric action thriller movie, The Artemis Protocol. The company is setting out to raise £50,000 on Kickstarter to complete this stage
Preparing For Final Battle Against Multiple Myeloma, Lisa Urges Fans to Support …
December 22, 2009: In her recent blog for her own ‘Yellow Diaries’, and before going for the final phase of her stem transplant treatment for Multiple Myeloma, Lisa Ray has requested her fans to support her films and buy the DVDs. She has a keen desire to continue working on interesting and enlightening film projects, provided that her fans keep supporting her in this journey by buying the films. Lisa