Open Source SWID Tag Generator for Linux

Open Source SWID Tag generator created for Linux platforms. Automatically create SWID tags from package management systems such as dpkg, rpm or pacman. See – https://github.com/strongswan/swidGenerator for more information.

Thanks to andreas.steffen@strongswan.org for the information!

19770-2 Revision sent to WG21 for review

The latest update of the ISO/IEC 19770-2 revision was sent to WG21 on May 18th for review at the ISO Plenary meeting in June in Sydney, Australia.

There are a few known issues in this version of the document and we will be ensuring we address these issues at the Plenary session.  A member discussion group has been setup so you can list any other concerns you may have, or highlight items that are particularly important to your organization.

Please note – you must be logged in to access the links below.  Also, if you are a member of TagVault.org and have a userID that is not yet elevated to a member level, please use the contact us form to let us know your e-mail address and we will resolve that issue quickly.

 

 

IBM – A Publisher Perspective on SWID Tags – Recorded Webinar

SAM Discovery/Inventory Automation with SWID Tags

A Publisher Perspective by IBM

Abstract:

TagVault.org, the leading industry trade organization promoting leading standards in Software ID information is presenting the webinar “SAM Discovery/Inventory Automation with SWID Tags” a Software Publisher perspective on SWID tagging.

In this webinar, attendees will learn about the issues encountered by Software Publishers and their end user customers in identifying software and how specifically, SWID tags address those issues.  IBM’s implementation provides more effective compliance for Software Reconciliation of software.

People who should attend this webinar include any end user customer who uses IBM software and would like to hear about the IBM solution, as well as any software user interested in learning about how software publishers are approaching the issue of SWID tags

Speaker Bio:

 

Brian TurnerBrian Turner, Program Manager for Software Asset Management Tools and Compliance Readiness team, part of Cloud and Smarter Infrastructure Development, Software Group IBM. Brian has been with IBM for 15 years in a number of product development roles across the C&SI and Security divisions. He is currently the IBM representative to the ISO SC7 Workgroup 21 on Software Asset Management process and software ID tags.

Brian has a degree in Electrical Engineering and has spent his career solving complex problems for customers in the networking, security and endpoint management space. He enjoys working with global teams, customers and the odd bit of international travel. In his spare time Brian is an avid sailor and spends many weekends on his boat in and around San Francisco bay.

View the pre-recorded webinar and hear how SWID tags help the entire software ecosystem!

Software Consumer and IT Advisory Board

Software Consumer and IT Focused Advisory Board

This form allows individuals to sign up for the TagVault.org software consumer and IT focused advisory board. This group is solely focused on defining exactly what a consumer focused group within the TagVault.org program will look like, what benefits are provided to members and the cost of the membership. Information provided on this form will not be used for e-mail marketing, nor will it be shared with anyone other than those individuals who are part of this group (if you allow for others in the group to see your contact information).

Now Available: Pre-recorded webinar on Overview of SWID Requirements

Why Software Identification is Critical for Software Automation – A TagVault.org Webinar Series

webinar banner

Everyone today struggles with their software portfolio. Organizations must deal with shifting priorities, ever changing organizational structures, and changing platform requirements while being attentive to security, compliance and logistics management to support the organization. This can make IT Management difficult and costly.

For your software portfolio, the solution is for authoritative and standardized self-identifying data to be provided to IT groups for all software titles and tools that manage the portfolio. The benefit to your software portfolio is that it is easier to manage across the board, saving an organization time and money allowing management to better support IT staff on prioritize core IT operations.

This webinar will explore the value of a standards-based approach to improve software identification and outline industry efforts to align on a consistent implementation of standards to accelerate the benefits to the market.  These efforts will increase the automation capabilities for security, compliance, and logistics requirements, among other IT operations and how it benefits your organization. If you work as a software publisher, reseller, tool provider, or are in an IT position where software management and IT automation is important, this webinar is meaningful to you. Don’t miss out on this important global effort to ensure all products and publishers are providing SWID tags for all platforms including virtual and cloud-based environments and why you should get in at the ground floor.

To watch the replay of the webinar, click here.

 FAQ’s from the Webinar:

 

1)  The standards was released in 2009, why has it taken so long to have tags start to make inroads with these large publishers?

There is always a chicken and egg problem with standards that are followed by one organization and utilized by another – who takes the first step? In this case, quite a few tool providers realized that SWID tags would improve their accuracy as well as lower their resource costs as they attempt to keep their catalogs up-to-date.

Once the tools provided support for SWID tags, software publishers needed to understand the value to them for implementation. Some vendors heard from their customers that support for SWID tags is a necessity, some looked in-house and were able to justify the change due to the fact that it would actually save them money.

Many large software publishers seem to have unlimited resources when viewed from the outside in. The reality is that large publishers have a tremendous number of items on the priority list that must be scheduled into their development cycles. Those items with the highest priority based on customer need, ability to sell more product, ability to sell into different markets, etc are the items that end up above the cut-off line for development. It has taken take time and a lot of energy to help publishers understand the cost/benefit of SWID tags, then see the hero’s in those publishers work with management to effect change in the organization. The more information software publishers have from customers saying that this type of authoritative data is required for them to do an effective job of managing software, the higher the priority for inclusion into the publishers work stream.

2)  When do you expect certification requirements for SWID tags to be in place?

The expectation from TagVault.org is that we’ll have a document specifying the SWID Tag Interoperability Requirements (basically, the certification guide) completed by the time the revision to the 19770-2 standard is published.  Since TagVault.org will be working with other organizations such as member organization AnglePoint, to provide the certification process, the implementation of certification procedures are likely to be finalized by April of 2015.  However, once the Interoperability Requirements document is complete, customers can use that as a requirement for their publishers to follow when creating and managing SWID tags for delivery with their products.

3)  What is the governments interest in tags and why are they involved?

The US Government has an even more difficult time with software management than commercial industries do. This is because each and every separate government agency is effectively its own business with its own processes and tool implementations that are unique to that agency. Further, many of the tools purchased by the Federal Government are purchased based on a set of requirements specified with the purchased tool being the lowest cost bidder. This results in numerous tools being used throughout the wide scope of the government and no ability to reconcile the data coming from all the tools since each tool reports software discovery data slightly differently and with a variable results.

Adding to the system challenges the US Government has, the security requirements and the attack surface they need to keep secure are simply a daunting task and likely much more difficult to manage than commercial organizations, simply due to the variety of approaches used in the different agencies.

Basically, the US Government has recognized that they absolutely require automation of their IT management systems if they are going to lower their IT costs and keep their systems secure. The first step in this process is to know exactly what software is installed on devices and work with software producers to get them to support real-time and active communications that allow for automated validation of issues such as patch installation.

Finally, the US Government has a tremendous amount of data available on configuration issues that cause software to be vulnerable to attack (the details are held in the security content automation protocol databases – SCAP for short). This data is extremely useful to improve the security posture for both governmental and commercial organizations, however, it cannot easily be linked to software discovered on devices since there is no existing standard that ensures that authoritative data is coming from publishers and that the data is normalized. With SWID tags, the data from any discovery engine can be linked to information found in the SCAP databases to allow both government and commercial organizations to increase security without a huge increase in IT resource costs.

4)  How long will it take for tool vendors to recognize the needs for using SWID tags?

They already have and most Tier 2 vendors already support the tags in some form or fashion.  Many Tier 1 vendors like HP, Microsoft and IBM either already support SWID tags, or will in the near future.

5)  Which IT management tools support SWID tags today?

Let’s leave this one off for the time being…  I think we’ll work some marketing $’s around these efforts instead of giving the information out for free.  Ideas being developed now, will get you some details in a couple of weeks.

Best Practices Working Group Meeting – Jan 2014

Working GroupThis working group session will kick off the development of the best practices that will be applied to SWID tags created by software publishers and used by tool providers and end-user organizations.  The overarching goal is to define the requirements for SWID tags that will meet specified use cases.

The meeting will be held in the Baltimore area (between BWI and Baltirmore) on Jan 22 through 24, 2014.  We are still finalizing the location and will inform everyone when the location has been finalized.

Agenda:

  • Review the revision of 19770-2 that is currently out for a Committee Draft vote
  • Review the use cases for the best practices we developed in the last working group
  • Start the integration of the TagVault.org certification document with the use cases for best practices
  • Determine how to approach organizational and possibly product certification requirements for SWID tag producers and consumers
  • Determine if there are any updates/changes required to the 19770-2 CD (these will be integrated in the US National Body comments as part of the voting process for the 19770-2 revision).

The meeting is open to TagVault.org members and we would like to encourage all members who may be interested in attending this session to also attend the Cybersecurity Innovations Forum the following week (located at the Baltimore Convention Center).  See http://www.fbcinc.com/e/cif/ for more details on the forum and to sign up if you are interested!

This working group meeting is open to current TagVault.org members who are at the Government, Associate, Non-Profit, Contributor or Board Member levels of membership.

Please sign up and let us know if you will be attending in person or virtually.

We apologize, but the working group session is now full. If you would like to attend virtually, please send an e-mail to Steve Klos and he will send you the details for the session.

Provide Direct Feedback to the National Cybersecurity Center of Excellence!

The US Federal Government wants to improve the real-time management of software on computing devices used for critical projects and processes.  They are working towards solutions that can bridge the many gaps that exists today and they are working with industry to make the changes happen!

The focus in this instance is on Cybersecurity, but the efforts will provide direct and significant benefits to individuals and organizations involved in licence and policy compliance activities, security, logistics and practically any other IT management system that involves software on any device (from phone or tablet all the way to cloud based systems and even extending into the Internet of Things).

There will be an initial Stakeholders meeting on December 3 and 4 followed by a public workshop on December 5.  The events will be hosted in Rockville, MD.  The primary focus of this effort is on improving the security monitoring of systems in the Government as well as providing support for critical infrastructure systems (power, water, financial management systems, etc).  This effort will also provide direct and significant benefits to any business that needs to manage software licenses, apply security or compliance policies to their systems, or manage updates and backup plans of their organizational software infrastructure).

Join us virtually through your comments – let us know what you think.  We are asking for your e-mail address simply so we can contact you if there are questions on your comments – your contact details will not be added to any newsletter, or other regular communications.  If we can pass along your name and company name to others involved in this effort, that would be great – if you would rather we didn’t, let us know via the selections below.

The Stakeholders meeting was on December 5th. If you would like to provide additional comments to this effort, please contact us through the "contact us" form under the About menu item!

More info on NCCoE – http://csrc.nist.gov/nccoe/

More info on the workshop – http://csrc.nist.gov/nccoe/Events/Events.html

SWID Tags provide enhanced data enabling better network security

The Trusted Computing Group (TCG) released new specifications for public review – the comment period for these specifications is open until Oct 22.  If you work in network security in particular the management of networked computing devices, are interested in the work done by the Trusted Computing Group, or are curious about how SWID tags provide enhanced data for security needs, please review these new specifications targeted at end-point security management and provide your feedback.  In particular, these specifications are designed to enable network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure.  A key element of this set of standards that differentiates it from other approaches is the fact that it’s based on international standards and supports interoperability and the reuse of discovery data.

The specifications were created in support of its Trusted Network Connect Endpoint Compliance Profile. The Endpoint Compliance Profile describes a profile of TNC standards and capabilities that is optimized for collecting specific types of endpoint identity and state information and retaining this information over time in a searchable repository.

One of the specifications in this suite is the new SWID Message and Attributes for IF-M specification. This specification standardizes how SWID tag information can be requested by a Policy Decision Point and returned by an endpoint. The specification also describes how an endpoint can actively monitor its SWID tag collection for changes and push reports to a Policy Decision Point if a change is detected.

All of the Endpoint Compliance Profile specifications are open for public review and comment through October 22. In particular the TagVault.org and SWID communities should review and comment on the SWID Message and Attributes for IF-M specification to ensure that it aligns with their usage models. Following the public review period the specifications will be revised and published in final form. Feedback on any of these specifications is greatly appreciated.

For more information about TagVault.org, please visit their website – www.tagvault.org.

For more information on the Trusted Computer Group, please visit their website – www.trustedcomputinggroup.org