Anti-Malware Support Services (AMSS) is developing the Clean File Metadata eXchange (CMX) to identify files that are from commercially defined and deployed software. The CMX repository is designed to help security companies keep up with the ever changing landscape of commercially published and known files to differentiate them from a potential malware threat.
The CMX repository provides one component of the data provided by SWID tags – the payload, or file manifest as many might call it. By working together, Publishers who provide a file payload in their SWID tags and digitally sign those tags can automate the data population of the CMX repository in a secure and efficient manner.
More information about AMSS is here:
More information about CMX is available here:
The installation toolkit WiX (supported by FireGiant) is the first Windows installer toolkit to support the latest revision of the SWID Tagging Standard (19770-2:2015). FireGiant provides dedicated support to the WiX open source toolkit and they’ve recognized the importance of accurate software identification when it comes to licensing and security! As an open source tool, providing a consistent and normalized set of data to the organization who buy, install and manage software products simply makes sense and that’s likely why WiX supported the latest revision of SWID tags even before the standard was published by ISO.
For more information on WiX and their support for the 2015 revision of SWID tags, have a look at their blog posting – https://www.firegiant.com/blog/2015/9/9/swid-tag-2015-support-in-wix-toolset-v3.10/.
The 2015 revision of the SWID tagging standard has been in development for a number of years. The primary focus was threefold – first, ensure that SWID tag data could be interpreted and used efficiently by software purchasing organizations and tools. Second, to ensure that software publishers are able to create SWID tags in a scalable manner that works with as many different software environments as could be imagined. Finally, with the full expectation that software will change over time, to make the standard as flexible as possible to enable extended information from software publishers as required.
The revision to the standard was published on Oct 1 and even prior to the publication, tools were already supporting the revision (WiX, which is a Windows installation utility supported by FireGiant, in particular seems to be focused on their customer – the software publisher and the benefits of standards as they apply to their customer).
This revision is in-line with the changes being made to the software entitlement standard (19770-3) which should be published in the relatively near future. Everyone in the industry is looking forward to a time when software asset management can be handled in a much more automated manner and both the SWID and Software Entitlement standards are focused on that effort. Anyone who’s looking to integrate tools into their IT infrastructure will benefit if they validate that their vendors fully support these ISO standards.
To get a copy of the standard, go to the ISO webstore (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=65666), or to your local national standards body to review the abstract and to buy a copy.
The Trusted Network Connect (TNC) is an open architecture for Network Access Control as defined by a working group of the Trusted Computing Group (TCG). On the 3rd of August, 2015, TCG published the document, “SWID Message and Attributes for IF-M”. The description of this as written on the TCG/TNC blog –
The Trusted Network Connect (TNC) Work Group defines an open solution architecture that enables network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure. Software Identification tags (SWID tags) are XML documents that identify a specific software product.
Organizations interested in learning more about how SWID tags are used within the TNC architecture can go here to get more information – http://www.trustedcomputinggroup.org/resources/tnc_swid_messages_and_attributes_for_ifm_specification
NIST is working on an internal report (NISTIR) focused on the guidelines for the creation of interoperable Software Identification (SWID) Tags. This publication is focused on how SWID tags will be used from an operational perspective and provides a number of use cases focused on end-user scenarios. The overarching goal is to ensure that publishers understand end-user requirements to ensure SWID tags can provide the data required to automate IT Administrative processes that today are largely manual.
The report is focused on both Cybersecurity and Software Asset Management requirements.
The report can be found here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060
NIST is looking for your help! Please review the document and provide your feedback on how these requirements meet your operational needs, or if there are requirements or scenarios that are not yet defined that should be added to the document – let them know!
Comments should be sent to NISTIR8060firstname.lastname@example.org – with the subject “Comments Draft NISTIR 8060”. Comments should be provided by August 7, 2015.
The ISO/IEC 19770-2 standard that defines the structure of SWID tags has taken a major step forward. The document went through its final review with all the participating countries and achieved unanimous approval.
With such strong country and organizational support behind the revision, the document has moved forward to the publication phase. At this point, ISO editors take over and ensure that t’s are crossed, i’s are dotted and that the document meets the editorial requirements specified by ISO/IEC.
The revision is a relative major revision and addresses scalability issues that limited software vendors from fully embracing the 2009 version. The way the scalability issues were addressed, it also improves the ability for tool vendors to consume and interpret the data.
Additionally, changes were made to the location where SWID tags are installed. These changes made it easier for software vendors to integrate tags into their solution regardless of the installation model they choose. The revised standard indicates that the SWID tag will be located in a directory named “swidtag” that is in the same directory tree as the products installation directory. This allows copy installs, web component and other sandboxed software installs and installations by systems that otherwise might be restricted from writing into the common system locations that were specified in the 2009 revision.
You can download and review the XSD for this revision from ISO – http://standards.iso.org/iso/19770/-2/2015-current/schema.xsd.
You may also be able to download a NIST document that discusses usage scenarios and guidelines for creating SWID tags here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060. Be aware, however that the NIST document is currently available for public review and may be removed while the document is going through an editing process. If the link does not work, search for NIST-IR-8060.
NIST has release NIST-IR-8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags for public comment. The following is the abstract from the document:
This guidance provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As instantiated in the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable.
Download the document here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060
The document will go through numerous rounds of public review, and this particular review period closes June 15th, 2015. I would encourage anyone who’s interested in learning about SWID tags, or knowing more about some of the usage scenarios, to download and read this document – if you find issues, please provide feedback to NIST.
TagVault.org is also working to develop a SWID Tag Interoperability Requirements document that will work in concert with the NIST-IR to make the development of SWID tags easier and more automated for software vendors while providing the data required in the NIST-IR. TagVault.org member organizations can be involved in the development efforts to create the document which will be publically available and which will form the requirements for any future certification requirements (note certification will be optional and will generally be of interest to large software vendors who automate their software release process).
The Trusted Computing Group (TCG) has developed a number of standards around the Trusted Network Computing (TNC) architecture. The latest of these standards that’s open for public review is the SWID Message and Attributes specification. The review window is open until May 31, 2015
This is a fairly vertically focused specification and will be primarily of interest if you understand, use, or develop products around the TNC architecture. The specification accommodates both the 2009 as well as the soon to be published 2015 revisions of the ISO/IEC 19770-2 SWID specification.
SWID tags are gaining significant traction in the industry as IBM now deploys all their non-mainframe software with SWID tags, and Microsoft, Symantec and other large commercial entities are also deploying SWID tags with their software titles. SWID tags allow significantly more automation of organizational IT Asset Management, Security and Logistics processes, and will make these processes significantly more accurate and less costly to manage.
The web page provided above gives the details on how to download the specification and report any issues/problems you discover.
If your organization is using Trusted Computing Group (TCG) standards – especially those related to endpoint security standards, the TCG has published a new standard that defines how SWID tags will be used for endpoint protection.
The review period is open until May 31st, 2015. Download the standard provide your feedback to TCG.