It’s clear that authoritative software identification is critical to any cybersecurity efforts – after all, an organization cannot positively secure any system that has unknown applications or utilities installed. Today’s software discovery and identification tools use algorithmic “best guesses” for the identification of applications installed on a device and these identification tools vary significantly in their accuracy and consistency and they fail miserably when data needs to be reconciled between tools.
John Richardson (Symantec) and Steve Klos (TagVault.org) wrote an article for CrossTalk – The Journal of Defense Software Engineering that was published in the March/April 2013 edition. The article compares software identification with airline security and details some of the issues and problems in today’s software infrastructure that are being addressed by the ISO/IEC 19770-2 Software Identification (SWID) tagging standard and TagVault.org. Information about the journal, the abstract for the article and links to the CrossTalk website as well as other related reference materials that provide are provided below.
CrossTalk – Purpose
CrossTalk, The Journal of Defense Software Engineering, is an approved U.S. Department of Defense journal. CrossTalk’s mission is to encourage the engineering development of software in order to improve the reliability, sustainability, and responsiveness of our warfighting capability and to inform and educate readers on up-to-date policy decisions and new software engineering technologies.
Would you fly on an airline that did not verify its passengers’ identities, or that allowed high-risk passengers onto their flights? How about an airline that was unable to scan all checked luggage for known threats, or was unable to ensure that each piece of luggage was associated with a known, trusted passenger? This, unfortunately, is the position that IT organizations are placed into every day by their software applications. Software publishers do not typically provide secure, authoritative information that provides the critical information IT administrators require to validate the authenticity of their installed software applications and their executable files (program files, shared libraries, scripts, etc.). Typical computer systems such as a laptop with an operating system and a few software applications will have thousands of executable files installed on the system with no definitive way to authenticate these executable files, and to ensure that they have not been modified by any third party. To improve software supply chain security, IT organizations require standardized, authoritative software application information from software publishers that allows them to automate the following:
- Identifying all software applications, the operating system, their revision level, and all software updates and patches
- Associating all installed files to specific software applications, or to the operating system
- Validating that all installed software came from trusted software suppliers
- Validating the authenticity of each of the installed executable files