2017-08-21 SIG Scanning Meeting Notes

Apologies there is no recording. I was going to manually record to avoid the long lead in we had on the last one but Zoom was giving me authorization issues on the day that prevented me from recording the meeting.

Eric Eskam of GSA attended to talk about their compliance requirements

  • ISO 19770 defines standards for IT asset management
  • The 19770-2 subsection defines Software Identification Tags, used to uniquely describe a piece of software.
    • these tags are distributed as addition files in a software package.
      SWID tags
    • No relationship to CPE
    • An example of a SWID tag can be found below
  • The government is also a software publisher
    • GSA 18F - writes code for other agencies
    • Contractors hired to write code
  • Security vendors don’t know about that software
    • ROLIE is a standard being worked on to provide ATOM-like feeds of SWID tags
  • NIST IR 8060 is a publicly available specification of SWID tags for those that don’t want to pay to access the ISO
  • GSA working on tool to manage SWID tags where the commercial sector hasn’t provided them.
  • How does it relate to OSS?
    • Also important for inventory OSS to make sure it’s up to date
    • Where community doesn’t do it, GSA will issue internal use tags.
    • Don’t think there’s any fee required to get a tag (tagvault.org)
    • Can GSA work with distribution vendors to get SWID tags in to major Linux distros?

The next meeting will be at the Moby Summit LA on September 14th starting at 1:15 PST https://www.eventbrite.com/e/moby-summit-los-angeles-tickets-35930560273

SWID example (Windows 10 Enterprise SWID tag):

<?xml version="1.0" encoding="utf-8"?>
<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">
	<product_title>Windows 10 Enterprise</product_title>
		<name>Microsoft Corporation</name>
		<name>Microsoft Corporation</name>
		<name>Microsoft Corporation</name>