The Management of SWID Tags for Software Installations

While SWID Tags demonstrate a possible standards-based way of tracking the state of installed software products, their fitness to support patch management processes depends on the availability and accuracy of deployed tags. Unfortunately, today most vendors never update a tag after it is installed on the endpoint. As a result, these tags fall out of date as soon as that product is updated. Once this happens, these tags are no longer usable for patch or update management as the state of the associated software product will differ from that reported by the tag.

To address this issue, vendors need to actively manage the SWID Tags that they deploy. This means that every change to a given software product must correspond to a detectable change in the endpoint’s SWID Tags for that product. There are two ways that vendors can accomplish this.

1. Vendors can replace old tags with a new tag that reflects the new state of a software product as part of the product’s patch or update process. This is appropriate for changes that are reflected in a product’s version information, which can be easily captured in a SWID Tag.
2. Vendors can install a SWID Patch Tag with any patches they release. SWID Patch Tags correspond to a patch for a software product and contain references to the software products modified by the patch. Patch tags are useful for changes that alter a product’s features or behavior, but which don’t necessarily alter its version.

If software vendors actively manage their tags using the previous methods, their tags will be able to provide visibility into the state of their software using vendor-neutral standards. This will allow enterprise administrators to use a single tool to track the state of all SWID-compliant software in their enterprise, which is a key first step towards determining when patches or updates are needed.

Vendors are encouraged to actively manage the tags they deploy. Doing this avoids problems related to stale tags reporting incorrect information about the state of associated software, and will instead allow customers to track and manage their software more simply, efficiently, and securely. Moreover, it allows enterprise administrators to do this tracking using information controlled by the software vendor, rather than relying upon information from third party tools which might need to infer installation state using less robust or accurate indicators.

For more information on actively managing SWID tags, please consult the ISO/IEC 19770-2:2015 standard, as well as the available supplementary guidance including the guidance provided in the NIST Internal Report (NISTIR) 8060 and TagVault’s SWID Tag signing guidance. Following this guidance will help to ensure your tags are actively managed and always correctly reflect the state of your software. Additionally, use of the SWID Tag Validation Tool can help you to ensure the SWID Tags you produce provide the information needed to support cybersecurity use cases.