What is a Software Identification Tag?
A software identification tag is an XML file that’s installed alongside software, and which uniquely identifies the software, providing data for software discovery, inventory, and asset management tools.
With the introduction of industry-standard software identification tags, it becomes possible to automate the processes of gathering software discovery data for use in security, compliance, logistics and other related software IT processes.
Organizations like Microsoft have started to incorporate SWID tags into their new software releases and have indicated they will eventually include SWID tags in existing products through the patch processes.
In addition to organizational efforts like those of Microsoft, TagVault.org is developing the specification for a federated model of SWID tag repositories through the work of the TagVault.org SWID Tag Repository Interoperability Working Group.
Software publishers create software identification tags for their software, using tools provided by TagVault.org, or their own proprietary tools that produce tags in the industry-standard format.
Software identification tags are validated and digitally-signed, providing assurance to software consumers that the software they’ve received comes from the advertised publisher and has not been tampered with.
Software purchasing organizations can also create tags that are then deployed with every application that is processed through the desktop management system. These end-user SWID tags can readily be distinguished from publisher tags to ensure there is no mistaken overlap between tags installed on a computing device.
Where Are Software Identification Tags Stored?
Software identification tags are stored on the computers on which software is installed. The standard allows for operating system vendors to specify where software identification tags are located. If the platform provider doesn’t specify a location, software identification tags are stored in commonly known shared locations such as:
- /Library/Application Support/ on Apple Macintosh OS X Leopard
- Application Directory//contents on Apple Macintosh OS X versions earlier than Leopard
- usr/share/ on UNIX and Linux
- %AllUsersProfile%\Application Data\ on Windows 2000, XP and Server 2003
- %Program Data%\ for Microsoft Vista and later and Microsoft Server 2008 and later
Software identification tag files have .swidtag file extensions for easy recognition.
How Are Software Identification Tags Protected From Tampering?
Validated software identification tags are digitally signed to validate that the publisher is a known entity and has followed the specified set of requirements for providing their software information.
Third party organizations can independently and authoritatively validate that the signed elements of the certified tag have not been modified. Digital signatures along with validation routines and/or secure file manifests allow end-user organizations to have confidence that software is installed from a known publisher as well as having significantly more confidence in inventory reports.
I Am a Software Publisher. What Do I Need To Do?
In order to provide software identification tags with your software, you need to:
- Create an XML file that follows the SWID structure defined in the ISO/IEC 19770-2 standard
- Install the created SWID tag with your software at installation time
- Create a regid with a SWID certification organization
- Validate that the SWID tags created meet specified certification criteria and digitally sign the results (TagVault.org provides a tool that automates this process).
TagVault.org and your peer members can help you with tools and processes if required.
I Am a Tools Provider. How Do I Work With Software Identification Tags?
The format and location of software identification tags are specified by the standard. You should purchase and familiarize yourself with the standard in order to determine how best to have your tools work with software identification tags.
TagVault.org’s members are provided with additional resources to meet the needs of software consumers including government agencies, and SAM practitioners.
I Purchase, Install and Manage Software. What Do I Need To Do?
If you are responsible for software management in an organization, you need to require more authoritative data from your ISV’s for monitoring software installations and ensuring that the data you receive can be used for security, compliance and logistics needs throughout your software supply and management processes. As a software consumer, you can specify in purchasing contracts that you require software identification tags, to encourage uptake of this standard across the software industry.
For additional white papers on specifying SWID requirements and the benefits of SWID, follow this link.