This working group session will kick off the development of the best practices that will be applied to SWID tags created by software publishers and used by tool providers and end-user organizations. The overarching goal is to define the requirements for SWID tags that will meet specified use cases.
The meeting will be held in the Baltimore area (between BWI and Baltirmore) on Jan 22 through 24, 2014. We are still finalizing the location and will inform everyone when the location has been finalized.
- Review the revision of 19770-2 that is currently out for a Committee Draft vote
- Review the use cases for the best practices we developed in the last working group
- Start the integration of the TagVault.org certification document with the use cases for best practices
- Determine how to approach organizational and possibly product certification requirements for SWID tag producers and consumers
- Determine if there are any updates/changes required to the 19770-2 CD (these will be integrated in the US National Body comments as part of the voting process for the 19770-2 revision).
The meeting is open to TagVault.org members and we would like to encourage all members who may be interested in attending this session to also attend the Cybersecurity Innovations Forum the following week (located at the Baltimore Convention Center). See http://www.fbcinc.com/e/cif/ for more details on the forum and to sign up if you are interested!
This working group meeting is open to current TagVault.org members who are at the Government, Associate, Non-Profit, Contributor or Board Member levels of membership.
Please sign up and let us know if you will be attending in person or virtually.
The US Federal Government wants to improve the real-time management of software on computing devices used for critical projects and processes. They are working towards solutions that can bridge the many gaps that exists today and they are working with industry to make the changes happen!
The focus in this instance is on Cybersecurity, but the efforts will provide direct and significant benefits to individuals and organizations involved in licence and policy compliance activities, security, logistics and practically any other IT management system that involves software on any device (from phone or tablet all the way to cloud based systems and even extending into the Internet of Things).
There will be an initial Stakeholders meeting on December 3 and 4 followed by a public workshop on December 5. The events will be hosted in Rockville, MD. The primary focus of this effort is on improving the security monitoring of systems in the Government as well as providing support for critical infrastructure systems (power, water, financial management systems, etc). This effort will also provide direct and significant benefits to any business that needs to manage software licenses, apply security or compliance policies to their systems, or manage updates and backup plans of their organizational software infrastructure).
Join us virtually through your comments – let us know what you think. We are asking for your e-mail address simply so we can contact you if there are questions on your comments – your contact details will not be added to any newsletter, or other regular communications. If we can pass along your name and company name to others involved in this effort, that would be great – if you would rather we didn’t, let us know via the selections below.
More info on NCCoE – http://csrc.nist.gov/nccoe/
More info on the workshop – http://csrc.nist.gov/nccoe/Events/Events.html
The Trusted Computing Group (TCG) released new specifications for public review – the comment period for these specifications is open until Oct 22. If you work in network security in particular the management of networked computing devices, are interested in the work done by the Trusted Computing Group, or are curious about how SWID tags provide enhanced data for security needs, please review these new specifications targeted at end-point security management and provide your feedback. In particular, these specifications are designed to enable network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure. A key element of this set of standards that differentiates it from other approaches is the fact that it’s based on international standards and supports interoperability and the reuse of discovery data.
The specifications were created in support of its Trusted Network Connect Endpoint Compliance Profile. The Endpoint Compliance Profile describes a profile of TNC standards and capabilities that is optimized for collecting specific types of endpoint identity and state information and retaining this information over time in a searchable repository.
One of the specifications in this suite is the new SWID Message and Attributes for IF-M specification. This specification standardizes how SWID tag information can be requested by a Policy Decision Point and returned by an endpoint. The specification also describes how an endpoint can actively monitor its SWID tag collection for changes and push reports to a Policy Decision Point if a change is detected.
All of the Endpoint Compliance Profile specifications are open for public review and comment through October 22. In particular the TagVault.org and SWID communities should review and comment on the SWID Message and Attributes for IF-M specification to ensure that it aligns with their usage models. Following the public review period the specifications will be revised and published in final form. Feedback on any of these specifications is greatly appreciated.
For more information about TagVault.org, please visit their website – www.tagvault.org.
For more information on the Trusted Computer Group, please visit their website – www.trustedcomputinggroup.org
Software ID (SWID) tags have come a long way since the ISO/IEC 19770-2:2009 standard was published. Today, there are numerous publishers including tags in their products, tool providers that are creating or reading and using tags and sophisticated customers who’ve recognized the value of SWID tags. (more…)
It’s clear that authoritative software identification is critical to any cybersecurity efforts – after all, an organization cannot positively secure any system that has unknown applications or utilities installed. Today’s software discovery and identification tools use algorithmic “best guesses” for the identification of applications installed on a device and these identification tools vary significantly in their accuracy and consistency and they fail miserably when data needs to be reconciled between tools.
TagVault.org, the registration and certification authority for ISO/IEC 19770-2:2009 Software Identification (SWID) tags, today announced that it is simplifying its membership model, expanding the number of board seats, and lowering the cost of membership. These changes are based on the interests of both commercial and governmental organizations that have recognized that a better approach to accurate and authoritative software identification can save money and lower risk for every organization engaged in software creation, purchasing or management.
To read the details, click here.
Cicala and Associates published an open letter to software publishers. This letter allows individuals and organizations to make a clear statement to their software vendors the vendors need to work together as a community to make it easier to identify and track software for any product from any vendor on any platform in a consistent and accurate manner.
Microsoft Announces Support for SWID Tags
Recent announcements regarding software identification tags provide the necessary support for software purchasing organizations to make new requirements to their software vendors:
- Microsoft announced support for ISO 19770-2 software identification (SWID) tags for the tools and software products Microsoft develops.
- TagVault.org is working with many other organizations including MITRE to improve the software identification capabilities for the security content automation protocol (SCAP) processes that are in use today and are designed to lower vulnerabilities and risk levels.
What do these two things have in common? In short, they are ushering in a new era of software management and defining a new set of expectations for software buyers. By the end of 2012, software buyers will include requirements for SWID tag support as part of their software purchasing process.
NOTE: Document Update – now distributing V2 of this document.
This article and the referenced document is provided primarily for individuals working within the US Government or related organizations and have an interest in the overall Security Content Automation Protocol (SCAP) standards and processes. There will be many commercial organizations that will benefit from these efforts in the short term and many more that will benefit in the medium term, however this document does not attempt to provide an education on what SCAP is, or how the integration from a certified SWID Tag to a CPE name will benefit the overall capabilities of SCAP. (more…)