Software products today are under increasing pressure to enable the organizations that use your products to easily, quickly and accurately manage them. Depending on the user base, purpose and functionality of your software there are differing reasons why accurate software identification is critical:
- Security for configuration issues – Heartbleed is a perfect example – plenty of documentation exists telling which versions of which products are impacted, but other than SWID tags, there is no canonical and computing structured method to specify versions in a manner that all discovery and identification tools can work with the data. With SWID tags, vendors can specify every instance of software that is vulnerable in a manner that discovery and inventory systems can automatically highlight vulnerable systems.
- Security for white listing – white listing is incredibly difficult to do in a manner that is sustainable and flexible enough for most organizations. Using SWID tags with file manifests, software users can simply identify the vendors they trust, and digitally signed SWID tags with file manifest data will be used to identify the commercially developed (and trusted) executable files that were provided by the vendor.
- Licensing – commercial software vendors talk about licensing being important to adhere to software entitlement rules. Unfortunately, it’s very expensive to manage licenses effectively because no tools actually do a great job identifying all applications correctly (your mileage, as they say will vary – see this whitepaper for more details).
There’s more information provided later on this page…
The following are some free resources available to everyone. Plenty more tools you can purchase can be found by searching for 19770-2 or SWID in your favorite search engine.
- NIST has written an interagency report (NIST-IR 8060) that provides tool developers with most of the information they need to start working with SWID tags.
- Veritas has been using SWID tags based on the 19770-2:2015 standard for some time and they include tags that indicate relationships between their software products making the discovery data set much richer for security and licensing purposes. Download a .zip file that contains the sample SWID tags that Veritas provides with their Enterprise Vault product.
- WiX is a free software installation scripting engine for Microsoft installers. This tool is used heavily by large publishers due to the flexibility it has for things like embedding components into an installer. WiX is a free and open source software product and it also has paid support available from FireGiant if your organization needs to have support for the tools it uses. WiX supports the 19770-2:2015 standard for SWID Tag Creation.
A few examples of why accurate software inventory is important – at least for governmental organizations:
- Presidential executive order #13103 specifies that all government agencies must have accurate software inventories and must be in compliance with software license contracts
- The SANS CIS Critical Security Controls specify that governmental organizations ensure they can automatically and reliably track every software title installed and used on every system, validate that it’s a known and approved title and securely and independently verify the publisher.
- The Megabyte act of 2016 (Making Electronic Government Accountable by Yielding Tangible Efficiencies) has a good acronym, but a horrible title. Be that as it may, it does direct the Office of Management and Budget (OMB) to require government agencies to account for the software they have installed, the usage of that software and the financial savings that the agencies receive through better management of their software. This is all a great goal, but it’s predicated on knowing what you have installed and what you own – most agencies have a very limited, or even no visibility of these details.
- There are numerous sources that reference why Software Asset Management is required for commercial and non-profit organizations as well. Read the TagVault.org whitepaper on software asset management for some additional details.
Providing information that facilitates accurate software inventory and automated license reconciliation is in software publishers’ best interests anyway, as it helps enterprises to pay for their legal use of your software. Providing this information in discoverable form saves you from pursuing expensive audits and court cases to claim licensing fees you are due. If everyone can identify installed software accurately, there is no excuse for falling out of compliance.
Obviously, an industry-standard approach is the only one that will work, as software consumers will not instigate many different practices to identify and reconcile software from different software publishers. ISO/IEC 19770-2 software identification tags (SWID tags) is the international standard for tagging software for automated identification. SWID tags are small XML files shipped and installed with software products. Discovery tools use the information contained in the tags to definitively identify installed software. Additional tools can then reconcile inventory records against purchasing and licensing data to ensure compliance.
As a software publisher, you can now create a validated regid and normalized & validated SWID tags, which are all you need to start rolling out software identification tags with your published software. Join Adobe, Hewlett Packard, IBM, Microsoft, Symantec and other industry leaders in voluntarily allowing your software to be validated and uniquely identified, to address consumers’ demands for more transparent software installation, entitlement and licensing information..
TagVault.org, and your peer members, can provide tools and processes to support your introduction of SWID tags. Join today.
How TagVault.org Helps
TagVault.org is promoting the widespread adoption of the software identification tags standard, ISO/IEC 19770-2. As a software publisher, this widespread adoption helps you to encourage clients to comply with licensing entitlements without expensive audits or legal action. In future, large software consumers are likely to mandate software tag support as part of procurement requirements.
SWID tags are also starting to become common in software purchasing requirements. This is especially true with the department of defense that placed the ISO/IEC 19770-2 standard on the Defense IT Standards Registry in preparation for requiring SWID tags from their ISV’s.
Finally, TagVault.org along with various member organizations can help ISV’s from spending hours working out the best approach to integrating SWID tags into your products, validating the data and digitally signing the data. With drop in tools and industry best practices already defined, TagVault.org makes the process incredibly easy, quick and above all ensures interoperability.
Work with TagVault.org now to stay ahead of the curve and introduce processes to create, certify and publish software tags.