Some SWID Tag Resources

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Some SWID Tag Resources

Waltermire, David A.
Here are some software identification (SWID) tag resources:

- Some general resources: https://scap.nist.gov/specifications/swid/

- NISTIR 8060 provides an overview of the capabilities and usage of SWID tags. It also provides requirements for SWID tags that enable various cybersecurity use cases.

http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf

- There is the CoSWID draft nearing completion in the IETF which defines an alternate serialization to the SWID tag XML format to support devices that may require a smaller tag footprint.

https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/

- NIST has produced a Java-based command-line SWID tag validator based on NISTIR 8060 and ISO/IEC 19770-2:2015. This tool can also be invoked by API. I plan to open source the tool and the Decima library which provides the validation functionality.

https://scap.nist.gov/specifications/swid/ (under "SWID Tag Validation Tool")

Regards,
Dave
Reply | Threaded
Open this post in threaded view
|

Re: Some SWID Tag Resources

Landfield, Kent
Thanks Dave.  I incorporated it into the Vulnerability related standards and efforts doc.

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!
 
--
Kent Landfield
+1.817.637.8026
[hidden email]
 

On 12/14/17, 9:21 AM, "[hidden email] on behalf of Waltermire, David A. (Fed)" <[hidden email] on behalf of [hidden email]> wrote:

    Here are some software identification (SWID) tag resources:
   
    - Some general resources: https://scap.nist.gov/specifications/swid/
   
    - NISTIR 8060 provides an overview of the capabilities and usage of SWID tags. It also provides requirements for SWID tags that enable various cybersecurity use cases.
   
    http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf
   
    - There is the CoSWID draft nearing completion in the IETF which defines an alternate serialization to the SWID tag XML format to support devices that may require a smaller tag footprint.
   
    https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/
   
    - NIST has produced a Java-based command-line SWID tag validator based on NISTIR 8060 and ISO/IEC 19770-2:2015. This tool can also be invoked by API. I plan to open source the tool and the Decima library which provides the validation functionality.
   
    https://scap.nist.gov/specifications/swid/ (under "SWID Tag Validation Tool")
   
    Regards,
    Dave