Software is part of the critical infrastructure for the modern world. Enterprises and individuals routinely acquire software products and deploy them on the physical and virtual computing devices they own or operate. A core SAM process is software inventory management – the process of building and maintaining an accurate and complete inventory of all software products deployed on all of the devices under an organization’s or individual’s operational control.
Discovery is technically challenging due to the enormous variation across the software industry in what it means to be a unit of software. For example, a single unit of software may consist of a combination of executable files, data files, configuration files, library files, and more. A single unit of software may also include supporting software units which may be independently installed and executed, as well as changes to the underlying operating environment, such as the addition of device drivers and entries in an operating system maintained tables and databases.
The SWID tag standard was developed to help overcome the technical challenges associated with software discovery, identification, and contextualization, and thereby enhance the accuracy and reliability of software asset management processes.SWID tags aid discovery by furnishing a standardized indicator of a software product’s presence on a device. Tags aid identification by including a consistent label for a product within its tag. Finally, tags aid contextualization by allowing a wide variety of related product details to be supplied, including the product’s full name and version.
There are three primary methods that may be used to ensure SWID tags are available on devices with installed software:
- SWID tags created by a software creator or publisher which are installed with the software are the most authoritative for identification purposes.
- Organizations can create their SWID tags for any software title that does not include a tag, allowing the organization to more accurately track software installations in their network environment. Third party discovery tools may optionally add tags to a device as software titles are discovered.
SWID Tags offer benefits to creators of software products as well as those who acquire and use those software products. Specifically:
c. end-user organizations
Organizations and entities that use information contained in SWID tags to support higher-level, software-related business, and cyber security functions. Categories of tag consumers include software consumers, inventory/discovery tools, inventory-based cybersecurity tool providers (e.g., providers of software vulnerability management products, which rely on accurate inventory information to support accurate vulnerability assessment), and organizations that use these tools.
d. Tag producers
Organizations and entities that create SWID tags for use by others in the market. Ideally, the organizations involved in creating, licensing, and distributing software products will also create the tags that accompany their products.This is because these organizations are best able to ensure that the tags contain correct, complete, and normalized data. In other cases, tags may be produced and distributed by other entities, including third parties and through the use of automated tools.
The implementation of SWID tags supports these stakeholders throughout the entire software lifecycle from software creation and release through software installation, management, and retirement.
Non-profit organizational support
In 2009, a non-profit organization called TagVault.org was formed under IEEE-ISTO to press for using SWID tags. TagVault.org acts as a registration and certification authority for ISO/IEC 19770-2 software identification tags (SWID tags) and will provide tools and services allowing all SAM ecosystem members to take advantage of SWID tags faster, with a lower cost and with more industry compatibility than would otherwise be possible.SWID tags can be created by anyone, so individuals and organizations are not required to be part of TagVault.org to create or distribute tags.
Commercial organizational support
Numerous Windows installation packaging tools utilize SWID tags including:
- Caphyon’s Advanced Installer
- Flexera Software‘s InstallShield
- Flexera Software’s InstallAnywhere
- Open Source–Windows Installer XML Toolset (WiX)
Many software discovery tools already utilize SWID tags, including Altiris, Aspera License Management, Belarc’s BelManage, Snow Inventory, CA Technologies discovery tools, Eracent’s EnterpriseAM, Flexera Software’s FlexNet Manager Platform, HP’s Universal Discovery, IBM Endpoint Manager, and Microsoft’s System Center 2012 R2 Configuration Manager.
Symantec has also released multiple products that include SWID tags and is committed to helping move the software community to a more consistent and normalized approach to software identification and eventually to a more automated approach to compliance.
IBM started shipping tags with some software products in early 2014, but as of November, all releases of IBM software include SWID tags.This equates to approximately 300 product releases a month that includes SWID tags.
The US federal government has identified 19770-2 SWID tags as an important aspect of the efforts necessary to manage compliance, logistics, and security software processes. The 19770-2 standard is included on the US Department of Defense Information Standards Registry (DISR) as an emerging standard as of September 2012. The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) recently discussed the need for SWIDs in the marketplace.
Standards development organization support
The Trusted Computing Group (TCG) is developing a standard TNC SWID Messages and Attributes for IF-M Specification that utilizes tag data for security purposes.
The National Cybersecurity Center of Excellence (NCCoE) has documented the Software Asset Management Continuous Monitoring building block that specifies how SWID tags are used for the near real-time identification of software.
The National Institute of Standards and Technology (NIST) is in the process of creating documentation that specifies how SWID tags will be used by governmental organizations including the Department of Homeland Security. David Waltermire presented information describing the NIST Security Automation Program and how SWID tags can support that effort.
The National Institute of Standards and Technology (NIST) published “Guidelines for the Creation of Interoperable Software Identification (SWID)Tags,” NISTIR 8060, April 2016.
Preview or Buy
An overview of the standard is available from ISO and is available in English.