There is a tremendous amount of work being placed into the effort to improve software identification efforts in the market today. The market as a whole has recognized that software identification is not accurate enough today, does not meet all the needs of IT and, perhaps most importantly, is not done consistently between different IT disciplines which leads to higher costs for all market stakeholders.
The following sections provide reference points for how SWID tags are being used to impact the market in a positive manner. If these issues don’t apply directly to you, you can help your organization by forwarding the details onto someone in your IT organization who is responsible for security, compliance, logistics, or other operations where SWID tags provide benefits.
ISO/IEC 19770-2 Revision Work
The 19770-2 revision efforts are proceeding well. In fact, the WG21 editors working on the update have been meeting at least once a week and working to ensure the revision meets all market requirements that have surfaced since the 2009 version of the standard was published and a few additional capabilities that provide significant benefits to the market have been included as well. Significant testing and validation of the SWID tagging standard has been undertaken to ensure that the work has gone through a rigorous IT business and data modeling effort to ensure that SWID tags created with the standard will provide significant utility to software purchasing organizations and will be pragmatic and easy to implement by tag creator organizations such as ISV’s.
The good news is that the revision will be a smaller, more tightly focused and easy to use document than the first version. If you are waiting for the bad news, there really isn’t any.
The revision has been reviewed within both the US and International groups working on this effort and the revision is quickly moving towards a committee draft voting process. This essentially means that the draft revision will be reviewed, commented and voted on by the participating countries which will help the editors understand other countries perspectives regarding the changes made to the revision.
The editors are looking forward to providing a draft to the wider ISO community for their review, comments and votes and TagVault.org will provide feedback to the larger community on the outcome of the vote.
TagVault.org Best Practices Working Group
(Industry Best Practices)
In coordination with the data and business modeling efforts and the editing work being done on the 19770-2 revision, TagVault.org is making great strides in the area of defining and documenting best practices for the industry. This best practices document is being created by a working group that has, at least initially started off with a very effective Working Group kick-off meeting that included Hewlett Packard, IBM, Microsoft and Symantec providing the commercial perspective and NIST and MITRE providing the government perspective on how tags should be implemented to provide the highest value to the whole community.
The Working Group will create a best practices document that will be the essential “cook-book” for SWID tag producers and consumers. Information from the best practices guide will be used to ensure interoperability for SWID tags across platforms, publishers and products.
In addition to the best practices guide, the certification document will be going through an update process to align with the revision of the 19770-2 standard.
For more information on these efforts, or to join TagVault.org to help in the definition of these documents (and to get early access to the direction and details provided in the documents), go to the TagVault.org website and join the program!
Microsoft and other ISV’s Express Interest in SWID Tags
Many members of Tagvault.org, including Microsoft have been involved in discussion with US Government Agencies to support much more extensive automation efforts required to improve security and manage policies without requiring an excessive cost for resources to manage these issues.
Microsoft has posted a webpage providing the background and detail on SWID tags and why they are interested in this issue.
Symantec and ModusLink have also provided messages of support for SWID tags – see the links below:
- Microsoft webpage providing background on SWID tags
- ModusLink Statement of Support for SWID tags
- Symantec Statement of Support for SWID tags
Testing Software Discovery Tools
Identifying which software products are installed on a computing device is similar to an archeological dig (i.e. trying to determine which software titles are installed based on various artifacts discovered on the device) and regularly results in incomplete and incorrect results. Unfortunately, compliance, logistics and security processes and procedures rely on this discovery data to manage an organization’s infrastructure.Incorrect data from software discovery utilities can and does result in:
- Higher risk of being out of compliance with software entitlements, which can lead to audit costs and further costs from the audit’s outcomes.
- Higher risk of malicious, out-of-date or non-patched software being installed and used within the organization, with the associated potential for loss of data or intellectual property, or higher IT costs.
- Higher cost of specialized technical resources required to constantly create, monitor and update discovery procedures.
- Higher switching costs for discovery tools due to complexities and incompatibilities between tools.
There are many tools on the market that provide discovery capabilities with varying degrees of success depending on the platform, publisher and third party tools used. This paper reviews six mainstream discovery and identification tools and provides criteria to consider when selecting a tool.
Customers Engaging With Vendors
Tired of the software identification mess? Software purchasers can make a difference today!Anyone who tells you that they know exactly what software they have installed, and that they have it all under control, is deceiving someone – themselves or you – or they are spending far too much money doing what they are doing. Software discovery tools have to make educated guesses and generalizations about much of what they find. The tools are much better than nothing – like a horse and cart are better than walking. But they are imperfect, because the publishers do not make it easy to determine exactly what is installed and needs to be paid for. So what happens when you get audited by the software publishers? They find copies, and versions, and violations of licensing terms and conditions which you did not expect, and you have to pay the price of not being able to control the software you have purchased when the publishers have not given you the necessary means for control.
Read the details here.
Supply Side Security
Abstract. Would you fly on an airline that did not verify its passengers’ identities, or that allowed high-risk passengers onto their flights? How about an airline that was unable to scan all checked luggage for known threats, or was unable to ensure that each piece of luggage was associated with a known, trusted passenger? This, unfortunately, is the position that IT organizations are placed into every day by their software applications. Software publishers do not typically provide secure, authoritative information that provides the critical information IT administrators require to validate the authenticity of their installed software applications and their executable files (program files, shared libraries, scripts, etc.). Typical computer systems such as a laptop with an operating system and a few software applications will have thousands of executable files installed on the system with no definitive way to authenticate these executable files, and to ensure that they have not been modified by any third party. To improve software supply chain security, IT organizations require standardized, authoritative software application information from software publishers that allows them to automate the following:
- Identifying all software applications, the operating system, their revision level, and all software updates and patches
- Associating all installed files to specific software applications, or to the operating system
- Validating that all installed software came from trusted software suppliers
- Validating the authenticity of each of the installed executable files
These capabilities are fundamental to securing computer systems. IT administrators must be able to automate these capabilities with a high level of confidence, and must be able to trust that their security tools can identify threats or known vulnerabilities quickly and definitively. However, without standardized, authoritative information provided by software publishers at the time software applications are released, it is remains very difficult for IT administrators to fully secure their computer systems.
The ISO/IEC 19770-2:2009  Software Identification Tagging standard is a cross platform (Windows, UNIX, Linux, Mac) software identification data standard that provides the means for authoritative identification of software applications, operating systems, software updates, and patches. Tags also provide the means for:
- Validating the authenticity of install media
- Automating the authenticity validation of installed application executable files
- Automating the identification of installed applications with known vulnerabilities per the NIST National Vulnerability Database.
This article provides high-level information that outlines how software identification tags provide the fundamental building blocks required for building a resilient and automated IT cyber security ecosystem based on information that is very easily provided by software publishers.
The Trusted Computing Group (TCG) released new specifications for public review – the comment period for these specifications is open until Oct 22. If you work in network security, in particular the management of networked computing devices, are interested in the work done by the Trusted Computing Group, or are curious about how SWID tags provide enhanced data for security needs, please review these new specifications targeted at end-point security management and provide your feedback. In particular, these specifications are designed to enable network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure. A key element of this set of standards that differentiates it from other approaches is the fact that it’s based on international standards and supports interoperability and the reuse of discovery data.
The specifications were created in support of its Trusted Network Connect Endpoint Compliance Profile. The Endpoint Compliance Profile describes a profile of TNC standards and capabilities that is optimized for collecting specific types of endpoint identity and state information and retaining this information over time in a searchable repository. One of the specifications in this suite is the new SWID Message and Attributes for IF-M specification. This specification standardizes how SWID tag information can be requested by a Policy Decision Point and returned by an endpoint. The specification also describes how an endpoint can actively monitor its SWID tag collection for changes and push reports to a Policy Decision Point if a change is detected. All of the Endpoint Compliance Profile specifications are open for public review and comment through October 22. In particular the TagVault.org and SWID communities should review and comment on the SWID Message and Attributes for IF-M specification to ensure that it aligns with their usage models. Following the public review period the specifications will be revised and published in final form. Feedback on any of these specifications is greatly appreciated.
National Cybersecurity Center of Excellence Workshop
The Department of Homeland Security, NIST and other government organizations are working with the software industry to solve some of the more difficult problems we face in areas of software, networking and general IT management. The following information from the NIST site that details the specifics of the Software Asset Management Workshop gives an overview of what they are working on.
NOTE: For those who view Software Asset Management as being focused on entitlement compliance, that is not how the term is being used in this instance. The focus is much more on securing the IT infrastructure and managing the assets in that infrastructure to accomplish the goal.
The National Cybersecurity Center of Excellence (NCCoE) works with industry, academic and government experts to find practical solutions for businesses’ most pressing cybersecurity needs. The NCCoE collaborates to build open, standards-based, modular, end-to-end solutions that are broadly applicable, customizable to the needs of individual businesses, and help businesses more easily comply with applicable standards and regulations.
A “Building Block” is a solution that is relevant to many industry sectors, and may be incorporated into multiple use cases that the NCCoE works to provide solutions for.
Continuous Monitoring Building Block:
This workshop will review and conduct a deep dive into the Continuous Monitoring Software Asset Management (SAM) Building Block. The building block proposes techniques for meeting SAM challenges. SAM, as envisioned in this building block, requires a standardized approach that provides an integrated view of software throughout its lifecycle. Such an approach must support the following capabilities:
- Authorization and verification of software installation media
- Software execution authorization
- Publication of installed software inventory
- Software inventory-based network access control
More details on the workshop can be found on the NIST website
Additionally, you may want to download the draft copy of, Continuous Monitoring Building Block document “Software Asset Management.” which is available for review until October 14, 2013.