The goal is to develop a risk management framework with security standards that normalize analysis from each tool, facilitate vulnerability correlation to provide a more simplified view of threats from both an architecture and system perspective, improving the completeness of vulnerability analysis and results. Using static analysis tools provides only a system view of vulnerabilities and weaknesses by scanning binaries and source code. Static analysis does not take into consideration architecture analysis using penetration tools that model threats and exposures from an attacker point of view. While open source security testing tools provide value, they lack common security standards to express risks, exposures and vulnerabilities in a meaningful way. No framework or standard exists that can map and correlate analysis from open source or commercially available static analysis tools, with open source or commercially available dynamic analysis tools.