The Trusted Computing Group (TCG) released new specifications for public review – the comment period for these specifications is open until Oct 22. If you work in network security in particular the management of networked computing devices, are interested in the work done by the Trusted Computing Group, or are curious about how SWID tags provide enhanced data for security needs, please review these new specifications targeted at end-point security management and provide your feedback. In particular, these specifications are designed to enable network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure. A key element of this set of standards that differentiates it from other approaches is the fact that it’s based on international standards and supports interoperability and the reuse of discovery data.
The specifications were created in support of its Trusted Network Connect Endpoint Compliance Profile. The Endpoint Compliance Profile describes a profile of TNC standards and capabilities that is optimized for collecting specific types of endpoint identity and state information and retaining this information over time in a searchable repository.
One of the specifications in this suite is the new SWID Message and Attributes for IF-M specification. This specification standardizes how SWID tag information can be requested by a Policy Decision Point and returned by an endpoint. The specification also describes how an endpoint can actively monitor its SWID tag collection for changes and push reports to a Policy Decision Point if a change is detected.
All of the Endpoint Compliance Profile specifications are open for public review and comment through October 22. In particular the TagVault.org and SWID communities should review and comment on the SWID Message and Attributes for IF-M specification to ensure that it aligns with their usage models. Following the public review period the specifications will be revised and published in final form. Feedback on any of these specifications is greatly appreciated.
For more information about TagVault.org, please visit their website – www.tagvault.org.
For more information on the Trusted Computer Group, please visit their website – www.trustedcomputinggroup.org
Software ID (SWID) tags have come a long way since the ISO/IEC 19770-2:2009 standard was published. Today, there are numerous publishers including tags in their products, tool providers that are creating or reading and using tags and sophisticated customers who’ve recognized the value of SWID tags. (more…)
It’s clear that authoritative software identification is critical to any cybersecurity efforts – after all, an organization cannot positively secure any system that has unknown applications or utilities installed. Today’s software discovery and identification tools use algorithmic “best guesses” for the identification of applications installed on a device and these identification tools vary significantly in their accuracy and consistency and they fail miserably when data needs to be reconciled between tools.
TagVault.org, the registration and certification authority for ISO/IEC 19770-2:2009 Software Identification (SWID) tags, today announced that it is simplifying its membership model, expanding the number of board seats, and lowering the cost of membership. These changes are based on the interests of both commercial and governmental organizations that have recognized that a better approach to accurate and authoritative software identification can save money and lower risk for every organization engaged in software creation, purchasing or management.
To read the details, click here.
Cicala and Associates published an open letter to software publishers. This letter allows individuals and organizations to make a clear statement to their software vendors the vendors need to work together as a community to make it easier to identify and track software for any product from any vendor on any platform in a consistent and accurate manner.
Microsoft Announces Support for SWID Tags
Recent announcements regarding software identification tags provide the necessary support for software purchasing organizations to make new requirements to their software vendors:
- Microsoft announced support for ISO 19770-2 software identification (SWID) tags for the tools and software products Microsoft develops.
- TagVault.org is working with many other organizations including MITRE to improve the software identification capabilities for the security content automation protocol (SCAP) processes that are in use today and are designed to lower vulnerabilities and risk levels.
What do these two things have in common? In short, they are ushering in a new era of software management and defining a new set of expectations for software buyers. By the end of 2012, software buyers will include requirements for SWID tag support as part of their software purchasing process.
NOTE: Document Update – now distributing V2 of this document.
This article and the referenced document is provided primarily for individuals working within the US Government or related organizations and have an interest in the overall Security Content Automation Protocol (SCAP) standards and processes. There will be many commercial organizations that will benefit from these efforts in the short term and many more that will benefit in the medium term, however this document does not attempt to provide an education on what SCAP is, or how the integration from a certified SWID Tag to a CPE name will benefit the overall capabilities of SCAP. (more…)
The WiX development team removes the last excuse for windows software publishers to support standardized software identification (SWID) tags. This is a win for the consumer who will start to see better, more accurate and less-expensive technology for software logistics, security and compliance activities.
Hot off the press – the WiX installer team announced that WiX supports 19770-2 SWID tags. With this announcement, all three major Windows installation tools – Advanced Installer, Installshield and now WiX – provide native support for the creation and installation of SWID tags. (more…)
The software supply chain and management process is a complete mess and the situation will get worse with the addition of new computing platforms and alternative licensing requirements for virtual and cloud based environments. Unless there is a change in the status quo, everyone in the software ecosystem will end up spending more on management and less on development equating to higher overhead for everyone!
There is a better way and it starts with a very simple expectation that software should automatically and consistently provide authoritative identification information for every single title by every publisher across every platform in a consistent fashion. Does authoritative software identification solve the whole problem – no! However, it does fix numerous problems in the supply and management chain that cost excessive money, time and resources today and enables better solutions across the whole industry in the future. (more…)