Quantcast

Microsoft announces support for ISO/IEC 19770-2:2009 Software Identification Tags

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Microsoft announces support for ISO/IEC 19770-2:2009 Software Identification Tags

Brant Cheikes

CPE Community,

 

Last week Microsoft announced:  Microsoft is collaborating with national standards bodies and industry leading groups to further the development of the ISO/IEC 19770-2:2009 standard for software identification tags. We are folding ISO/IEC 19770-2:2009 support into our product planning cycles, and will begin to include these tags in future product releases.

http://www.microsoft.com/sam/en/us/softwareid.aspx

 

This is a significant step forward for efforts to standardize software product naming and discovery.  To the extent that software identification (SWID) tags become pervasive, it will greatly ease the challenges associated with inventorying the software products installed on computing endpoints and correlating inventory information with vulnerability reports, security guidance, etc.

 

As I announced earlier this year, MITRE and TagVault.org have been working together on a proposal to integrate CPE names into SWID tags, with the goal of enabling publishers to create valid CPE names at the same time they create SWID tags for their products.  The first version of this proposal is posted on the TagVault website:

http://tagvault.org/Automating_CPE_name_creation

 

During the July 2012 SCAP Developer Days Conference at MITRE Bedford, we anticipate two related sessions, one providing a general overview of SWID tags, and a second focusing specifically on the proposal for embedding CPE names in SWID tags.  This will be a great opportunity to learn more about software identification tags and interoperability with CPE.

 

Cheers,

/Brant

 

The MITRE Corporation

202 Burlington Road, M/S K302

Bedford, MA  01730-1420

Tel. 781-271-7505, Cell. 617-694-8180

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Microsoft announces support for ISO/IEC 19770-2:2009 Software Identification Tags

steveklos

Folks,

 

I wanted to give a very quick update to this e-mail from Brant.

 

Based on further communications with ISO development members and with TagVault.org members, some additional elements are being added to the SWID extended set.  These elements generally augment software identification efforts for security, compliance and logistics in a generic sense, but also remove some of the issues that were voiced regarding the resulting CPE names that would be generated.  Since these new elements provide additional capability to the SWID tag in a generic sense, the final versions of these elements will be incorporated into the ISO/IEC 19770-2 revision which will start in August.

 

Getting to the point, CPE names generated from certified SWID tags using these newly defined elements will look as follows:

 

    cpe:2.3:a:tagvault.org:Tag_Creation_and_Signing_Utility:1.0.0.0:-:-:-:-:-:-:certified_tag
     cpe:2.3:a:symantec.com: Enterprise_Vault:10.0.1.0:-:-:-:-:-:-:certified_tag
     cpe:2.3:a:microsoft.com: Office _2007:12.0.6607.1000:service_pack_3:-:-: Professional:-:-:certified_tag

 

A few notes –

 

1)      Because we need to ensure unique id’s for the companies, the domain name is being used – this is the same as with Version 1.0 of the integration document.

2)      We have added a product_name to the SWID tag.  The product name is different from the data in the add-remove program list, so instead of “Microsoft Office Professional 2010” that we saw in V1, we now will see, “Office…”.

3)      There is one issue when it comes to versions (and the product attribute) – software applications have two versions as far as CPE is concerned.  There is the marketing version (in Office that would be 2003, 2007, 2010, etc) and the product version 11.xxx, 12.xxx, 14.xxx (note, there is no version 13 of the product version in distribution).  CPE only has one area for version data and because CPE names and the SCAP infrastructure should typically more about code base changes than the licensing version, we’ve incorporated the licensing version number in the title as the second component.  This will mean that a wild card will need to be used for applicability statements, but only in those cases where a whole set of different licensing versions are included.

4)      The rest should be relatively obvious with two remaining details

a.      the update attribute (in SWID vernacular, the product_update), will be defined by the publisher as they want to see it, so it may be SP2 or Service_Pack_2.  The key is that it will be consistently applied by way of validating the data against a registration DB.

b.      the target_hw attribute (in SWID vernacular, the target_platform) will validate against a registration set of data, but thus far, I’ve not found a good source of initial values to include.  X32 and X64 seem to be used relatively consistently, but if anyone has a good source of platform values (especially one that includes definitions) and that list can be included in the TagVault.org document, please let me know.

Enjoy…

 

Cheers,

 

SK

 

From: Cheikes, Brant A. [mailto:[hidden email]]
Sent: Monday, April 23, 2012 5:52 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Microsoft announces support for ISO/IEC 19770-2:2009 Software Identification Tags

 

CPE Community,

 

Last week Microsoft announced:  Microsoft is collaborating with national standards bodies and industry leading groups to further the development of the ISO/IEC 19770-2:2009 standard for software identification tags. We are folding ISO/IEC 19770-2:2009 support into our product planning cycles, and will begin to include these tags in future product releases.

http://www.microsoft.com/sam/en/us/softwareid.aspx

 

This is a significant step forward for efforts to standardize software product naming and discovery.  To the extent that software identification (SWID) tags become pervasive, it will greatly ease the challenges associated with inventorying the software products installed on computing endpoints and correlating inventory information with vulnerability reports, security guidance, etc.

 

As I announced earlier this year, MITRE and TagVault.org have been working together on a proposal to integrate CPE names into SWID tags, with the goal of enabling publishers to create valid CPE names at the same time they create SWID tags for their products.  The first version of this proposal is posted on the TagVault website:

http://tagvault.org/Automating_CPE_name_creation

 

During the July 2012 SCAP Developer Days Conference at MITRE Bedford, we anticipate two related sessions, one providing a general overview of SWID tags, and a second focusing specifically on the proposal for embedding CPE names in SWID tags.  This will be a great opportunity to learn more about software identification tags and interoperability with CPE.

 

Cheers,

/Brant

 

The MITRE Corporation

202 Burlington Road, M/S K302

Bedford, MA  01730-1420

Tel. 781-271-7505, Cell. 617-694-8180

Loading...