|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Talk:Summit 2011/Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation
Rather than re-invent the wheel I suggest that OWASP start with the work that has been already done in this space.
1. There is already an open standard available for intermediate representations:
Knowledge Discovery Metamodel (KDM) is a publicly available specification from the Object Management Group (OMG). KDM is a common intermediate representation for existing software systems and their operating environments, that defines common metadata required for deep semantic integration of Application Lifecycle Management tools.
2. There has been DHS funded work on standardizing output. Sean has already done the work of collecting schemas from analysis vendors
Software Assurance Findings Expression Schema (SAFES) Framework Sean Barnum, MITRE https://buildsecurityin.us-cert.gov/swa/presentations_201003/03/12%20Product-Benchmarking%20panel%20-%20SAFES%20-%20SwA%20Forum%20-%20Mar%202010%20-%20(Barnum).pdf
3. There has been some academic work on defining software model query rules
PQL: Program Query Language http://suif.stanford.edu/~jwhaley/papers/pods05.ppt http://pql.sourceforge.net/