As 2011 draws to a close, I want to wish you all happy holidays, and share a few bits of CPE news and some things to look forward to in 2012.
The most significant CPE-related event of 2011 was the August release of the final CPE 2.3 specification suite (cf. http://scap.nist.gov/specifications/cpe/) and the incorporation of CPE 2.3 into SCAP 1.2 (cf. http://scap.nist.gov/revision/1.2/index.html). Work on CPE 2.3 began in March 2010 (!), led by an active “core team” with representatives from MITRE, NIST, DoD, Cisco, nCircle, and McAfee. I thank the core team members for their persistence and commitment, and I also thank the broader CPE community for the many comments and suggestions you offered, which substantively improved the quality of the final products.
In 2012, NIST will be rolling out support for a CPE 2.3-conformant CPE Dictionary. To make the new Dictionary useful to CPE users, this community will need to carefully work through a number of issues having to do with naming conventions and dictionary-management practices. Just this week we got a little sneak peek into one of those issues—i.e., conventions to be used when assigning values to the newly-introduced “target_hw” attribute of CPE names. I hope you’ll participate in these conversations as actively as your many other commitments allow.
Also in 2011, MITRE joined TagVault.org as a Corporate Member. TagVault is the certification authority for ISO/IEC 19770-2 “software identification tags” (SWID tags) and ISO/IEC 19770-3 “software entitlement tags”, and has been actively promoting adoption of SWID tagging within the software publishing industry. The more I’ve learned over time about SWID tagging, the more impressed I’ve become with its value proposition to software vendors, the clear synergies with CPE, and the strong benefits that wide adoption of SWID tagging would seem to offer the security-automation community. If you’re not familiar yet with SWID tagging, I strongly encourage you to visit TagVault.org’s website to learn more. While I’ve been coming up to speed on SWID tagging, Steve Klos, Executive Director of TagVault, joined the CPE discussion list some months ago, attended the recent ITSAC’2011 conference, and has been learning about CPE and SCAP.
In 2012 I hope to foster active discussion within the CPE community about ways in which we can collaborate with the SWID community to our mutual benefit. Over the last few months, Steve and I have been working together on a proposal to enhance the ISO/IEC 19770-2 standard to incorporate CPE names into SWID tags. If this proposal succeeds, it will mean that software publishers themselves would increasingly create and assign CPE names to their products as part of the product-release process. This would have tremendous positive impact on the CPE Dictionary’s quality, completeness and consistency. Expect to hear more about this soon!
Happy New Year from cpe.mitre.org!
Brant A. Cheikes The MITRE Corporation 202 Burlington Road, M/S K302 Bedford, MA 01730-1420 Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352