NOTE: Document Update – now distributing V2 of this document.
This article and the referenced document is provided primarily for individuals working within the US Government or related organizations and have an interest in the overall Security Content Automation Protocol (SCAP) standards and processes. There will be many commercial organizations that will benefit from these efforts in the short term and many more that will benefit in the medium term, however this document does not attempt to provide an education on what SCAP is, or how the integration from a certified SWID Tag to a CPE name will benefit the overall capabilities of SCAP.
This paper describes how software identification (SWID) tags for identifying software installed on computing assets can integrate with and automate the creation of Common Platform Enumeration (CPE) names, which provide hardware and software information about computing assets.
The CPE name is designed to provide the following (from the CPE 2.3 Naming Specification Standard):
Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets. CPE can be used as a source of information for enforcing and verifying IT management policies relating to these assets, such as vulnerability, configuration, and remediation policies. IT management tools can collect information about installed products, identify products using their CPE names, and use this standardized information to help make fully or partially automated decisions regarding the assets.
The CPE name provides a key link among many of the Federal Government Security Content Automation Protocol (SCAP) databases (http://scap.nist.gov). When originally conceived, the CPE naming process assumed that the software publishers would (for the most part) provide the appropriate CPE name (or names) for inclusion in the Official CPE Dictionary. To date, adoption of CPE naming processes by the software publishing community has been limited, and so the National Institute of Standards and Technology (NIST) and MITRE Corporation have developed a process whereby CPE names are manually created and added to the CPE dictionary.
During the same period that the Security Content Automation Protocol (SCAP) infrastructure was being developed and implemented, software publishers were becoming increasingly motivated to help their customers manage the logistics, compliance and security of the various software products they license and use. This led to the development of an ISO standard, ISO/IEC 19770-2:2009 (http://www.iso.org/iso/catalogue_detail.htm?csnumber=53670), and the establishment of a registration and certification organization, TagVault.org, to provide the rules, processes and tools required to ensure that end-user organizations can lower the overall cost of managing the logistics, compliance and security of their software products.
TagVault.org provides tools that are used internally within a software publisher’s environment to validate normalized and registered names, to validate that a minimum amount of data is included in the software identification (SWID) tag based on certification level, and to digitally sign the certified tag. This ensures that the data is authoritative and that anyone looking at the data can validate the provenance of the data.
With the changes included in the CPE 2.3 specification, the certification processes defined by TagVault.org and the higher level of interest software publishers have in helping customers be more productive in managing the logistics, compliance and security of their software products, it is an ideal time to work towards a publisher-owned CPE naming process. This process would not only automate the creation of CPE names, but would provide authoritative data through the use of digital signatures and the addition of a significant level of additional meta-data to the SCAP infrastructure.