Software Tagging for Software Consumers

IT security is a perennial issue. The methods of breaching security and the types of exploits may change, but the underlying problems remain the same.

For anyone who uses software, there is a critical need to ensure that installed software has come from a trusted source, and is tamper-proof.

For those responsible for software purchasing and software license compliance, the common issues are a need to maintain a full and accurate software inventory, and to reconcile that inventory against purchasing and licensing data to ensure that all installed software is legally licensed. Intelligent reporting is required to simplify this process and highlight any drift towards non-compliance.

Software tagging helps address both classes of issue.

Software Tagging for Software Assurance

At their simplest, software tags are small pieces of information attached to software applications as XML files. When the software application is installed on a computer, the information is also stored on the computer. Tools that can read software tags can therefore determine exactly what software is installed on a computer. This takes the guesswork out of trying to work out what software is installed by inspecting the registry, the file system and other system information.

Software tags can be certified and digitally signed by TagVault.org. When certified tags are discovered by SAM tools, signed data is validated by the SAM tool. This offers a third party validation that the entity claiming to be the publisher is, in fact, the publisher. This also ensures that the data about discovered software as seen by SAM practitioners is exactly the same data as provided by the publisher. This enables this information to be used for security validation. The consensus audit guidelines (CAG), specified for government-managed computers, specify that a critical control for organizations is to have an inventory of authorized and unauthorized software. TagVault.org-certified software tags provide an authoritative level of inventory control that is unmatched.

Software Tagging for SAM

Current software asset management (SAM) processes usually rely on a combination of automated and manual processes:

  • Automated processes inspect computers to try to determine what software is installed on them, using file names and sizes, registry entries and more
  • Manual processes are required to identify files and software not resolved by the automated processes, and to link up installed software with purchasing and licensing data.

These processes are inhibited by the fact that there has been no cross-platform, cross-vendor method of defining authoritative details about a software product, including:

  • Name
  • Edition
  • Version
  • If it is part of a suite or bundle
  • ...and more

This is the essence of software tags: providing details about software products that allows their installation to be detected as part of automated software inventory processes. With software tags and supporting tools, the process of automating software inventory collection and reconciliation with purchasing and licensing records will become cheaper, easier and faster.

Tools that inventory software and report on it can offer intelligence such as determining the United Nations Standard Products and Services Code® (UNSPSC) for each piece of installed software. UNSPCSCs can then be used to group applications by function, simplifying accounting processes and allowing for intelligent analysis to consolidate the software in use across an organization.

How TagVault.org Helps

TagVault.org works with software publishers to implement tagging, broadening the number of software products that ship with software tags. TagVault.org is also developing a repository of software tags for legacy applications, ensuring you can regain control of your total software inventory, not just the newer products that are published with software tags.

As a TagVault.org member, you have access to the tools developed in conjunction with TagVault.org to support software assurance and SAM initiatives.

By joining TagVault.org, you gain access to the information and tools you need to validate your installed software, and automatically gather its inventory for reconciliation with licensing and purchasing records. Download the membership form now.