©

Normalize

Convert security results from all your security tools into a common data format

The Normalization Capability

A robust software pipeline conducts numerous security tests: static application security testing (SAST), dynamic application security testing (DAST), vulnerability scanning, dependency scanning, security composition analysis (SCA), infrastructure compliance checks, cloud configuration checks; the list goes on. Each test requires a specialized tool, producing data in multiple incompatible formats. Teams looking to implement security automation quickly find themselves with a data management problem: how do they assess the overall security posture and manage remediation activities?

This data becomes more useful when it is normalized, or converted into a common data format. Normalized data can then be passed to the next stage of the security automation process (i.e., Visualize) to produce a single security dashboard to report and manage security testing results.

The OASIS Heimdall Data Format

OHDF (Updated 8-8-2023).png

MITRE SAF© uses the OASIS Heimdall Data Format (OHDF) as a common format to represent normalized security data. OASIS Open is an international standards body that has worked with the security community to deliver the OHDF standard to facilitate security testing information sharing and process automation. OHDF files record vital security data about a completed validation test, such as the test code, description, attributes, and outcome. This facilitates aggregation and analysis of test results from a wide range of security tools.

Conversion Options

MITRE SAF©'s saf convert option allows the conversion of output from widely used automated security testing tools into OHDF (and from OHDF into other common formats). SAF CLI has converters for tools and formats, both to OHDF and from OHDF:

  • Convert From OHDF
    • OHDF to ASFF
    • OHDF to Splunk
    • OHDF to XCCDF Results
    • OHDF to DISA Checklist
    • OHDF to CSV
    • OHDF to Condensed JSON
  • Convert To OHDF
    • ASFF to OHDF
    • AWS Config to OHDF
    • Burp Suite to OHDF
    • DISA Checklist to OHDF
    • DBProtect to OHDF
    • Fortify to OHDF
    • GoSec to OHDF
    • Ion Channel to OHDF
    • JFrog Xray to OHDF
    • Tenable Nessus to OHDF
    • Netsparker to OHDF
    • Nikto to OHDF
    • Prisma to OHDF
    • Prowler to OHDF
    • Sarif to OHDF
    • Scoutsuite to OHDF
    • Snyk to OHDF
    • SonarQube to OHDF
    • Splunk to OHDF
    • Trivy to OHDF
    • Twistlock to OHDF
    • Veracode to OHDF
    • XCCDF Results to OHDF
    • OWASP ZAP to OHDF

For instructions on using the converter function, check out the page for SAF CLI linked above. If you need a converter that is not on the list, reach out to us to discuss creating a new one (or write your own!).

Heimdall© Conversion

The Heimdall© application uses the same libraries as the SAF CLI for converting input to OHDF automatically. Files uploaded to Heimdall© will be converted to OHDF when displayed, with no intermediate conversion step required!

OHDF Schema

While the core elements of OHDF describe individual controls, the full schema of an OHDF output file describes a set of security validation profiles (such as InSpec profiles) that were executed against a target system, the controls included in those profiles, and the results they generated. OHDF output also includes helpful statistics such as which controls passed, which failed, and which were not reviewed (skipped).

OHDF Core Elements

OHDF captures the core elements common to all security data, regardless of source. When converting data into OHDF, metadata from unique testing formats is preserved as tags. The following are the core elements of OHDF:

  • Test Title – High level overview of the test(s) goal
  • Test Description – Details on the intent and possible impact
  • Test Audit, aka ‘check text’ – the validation actions we are asking of the end user
  • Test Remediation, aka ‘fix text’ – the remediation actions we are asking of the end user
  • NIST SP 800-53 Control Alignment(s) – the NIST SP 800-53 security control this test(s) relates to
  • Test Severity - The static default of the control categorization impact
  • Test Impact - The context-specific severity during testing
  • Other data tags specific to the source benchmark – other data elements that enhance the context of the test(s)
    • CIS - tags such as the level, version and scoring status of the CIS benchmark
    • DISA STIG - tags such as the DISA Common Correlation Index Identifier (CCI)
  • Test Elements – the individual tests that make up the actions in the ‘Check Text’

Properly tagged and designed InSpec profiles produce results in this format. 

Privacy Policy | MITRE
Deploys by Netlify

Copyright © 1997-2026, The MITRE Corporation. All rights reserved.

MITRE is a registered trademark of The MITRE Corporation. Material on this site may be copied and distributed with permission only.