Invitation to the Workshop on Software Identification (SWID) Tag Implementation
Hosted by the National Institute of Standards and Technology (NIST) on
26-27 April 2016, in Rockville, MD
The National Institute of Standards and Technology (NIST) is pleased to announce a workshop on Software Identification (SWID) Tag Implementation and Use. This event will be held from 9:00 a.m. to 5:00 p.m. on 26 April and 9:00 a.m. to 3:00 p.m. on 27 April at the National Cybersecurity Center of Excellence (NCCoE), 9700 Great Seneca Highway, Rockville, MD.
Strengthening the security and resilience of United States Government (USG) civilian and military networks and critical infrastructure is a top national priority. If broadly implemented by software providers, SWID tags promise to significantly enhance the ability of USG departments and agencies to rapidly and accurately characterize the software assets discovered to be present within their enterprise networks. In turn, this will facilitate efforts to reduce vulnerabilities in our information technology systems and prevent future attacks. In addition to their value for cybersecurity, SWID tags will also help USG departments and agencies improve their ability to track and manage software licenses, thereby reducing cost and increasing efficiency.
The SWID tag effort aligns with the President’s 2016 Federal Cybersecurity Research and Development Strategic Plan, which was released on February 5, 2016. The plan challenges the cybersecurity research and development (R&D) community to provide methods and tools for deterring, protecting, detecting, and adapting to malicious cyber activities. Use of SWID tags in this context helps to provide the information necessary for tools to ensure that software is updated, resulting in fewer exploitable vulnerabilities, and that software integrity can be measured to detect and prevent software tampering.
The goal of the workshop is to assemble a broad audience of SWID tag creators, users, and stakeholders to actively participate in engineering-level discussions on various topics relative to SWID tags, including implementation challenges. The agenda, while still under development, will be comprised of detailed technical topics culled from the guidelines within the NIST Interagency Report (IR) 8060, “Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.” We plan to cover some or all of the following topics:
- SWID tag 101 (general overview of SWID tags)
- Digital signing of SWID tags
- Internationalization of SWID tags
- Provision of payload and evidence elements of SWID tags
- Distribution mechanisms for SWID tags
- Implementation of patch and corpus tags
We encourage your feedback regarding the proposed topics and welcome additional topic ideas. Please send your ideas and feedback to us at firstname.lastname@example.org.
It is recommended that participants attending the workshop be familiar with NIST IR 8060. The fourth public draft can be found here: http://csrc.nist.gov/publications/drafts/nistir-8060/nistir_8060_draft_fourth.pdf. The final report is expected to be ready by early March.
Conference registration and attendance will be free of charge, but advanced registration will be required. You can register at this URL – https://register.mitre.org/swid/.
If you have questions about this workshop, or would like to contact someone for more information, please send your request to email@example.com.