Contrast Security, JFrog, Sonar, Snyk, and Others Extend Functionality of Interoperability Standard for Software Analysis Tools
1 June 2022 — Key cybersecurity companies from across the globe are joining OASIS Open to advance the newest version of the Static Analysis Results Interchange Format (SARIF) interoperability standard for detecting software defects and vulnerabilities. In today’s announcement, Contrast Security, JFrog, Sonar, and Snyk became the newest Sponsors of the SARIF Technical Committee (TC) alongside Cryptsoft, GrammaTech, and Microsoft. Other members of the SARIF TC include Bank of America, CIRCL, ForAllSecure, Micro Focus, MITRE, Northrop Grumman, sFractal Consulting, Veracode, and WhiteSource.
Software developers use a variety of analysis tools to assess the quality of their programs. These tools report results which can indicate problems related to program qualities such as correctness, security, performance, compliance with contractual or legal requirements, compliance with stylistic standards, understandability, and maintainability. To form an overall picture of program quality, developers often need to aggregate the results produced by all of these tools. SARIF provides a common output format for software analysis tools that lets developers and teams understand, interact with, and manage the results produced by all their tools.
“The next major version of SARIF will expand our ability to aggregate data and detect vulnerabilities in some exciting new ways. We look forward to the contributions of the companies that are joining now, and we welcome others,” said OASIS SARIF TC co-chairs, Luke Cartey of Microsoft and David Keaton.
The SARIF TC brings together major software companies, cybersecurity providers, government, security orchestration specialists, programmers, and consultants. Participation in the TC is open to all companies, nonprofit groups, governments, academic institutions, and individuals through membership in OASIS. As with all OASIS projects, archives of the Committee’s work are accessible to both members and non-members alike.
Support for SARIF
“It is no surprise that SARIF has emerged as the industry standard for communicating vulnerabilities. The Contrast Security team is excited to join the SARIF Technical Committee and to share our experience and expertise in interactive testing, route intelligence, and software instrumentation to make SARIF an even more powerful way to enable communication and transparency around software security. While the Contrast Secure Code Platform natively supports SARIF, we’re looking forward to working with other leaders in the industry to find more innovative ways to help developers code more securely.”
– Jeff Williams, Co-Founder and Chief Technology Officer, Contrast Security
“The recent rise in volume and sophistication of open-source software supply chain attacks has forced developers and DevOps teams to scramble for information sources and solutions they can trust. As a recognized CVE naming authority with a qualified security research team, JFrog welcomes the opportunity to share our expertise and best practices with SARIF to better enable developers with a single source of truth for software security concerns.”
– Stephen Chin, VP of Developer Relations, JFrog
OASIS SARIF TC: https://www.oasis-open.org/committees/sarif