TagVault.org publishes Software Identification (SWID) Tag Signing Guidelines for Software Security and Compliance with the U.S. Department of Defense Mandate

PISCATAWAY, N.J., Sept. 12, 2017 -- TagVault.org, the neutral not-for-profit clearing house for software tagging, primarily focused on software identification tags and related standards in the ISO/IEC 19770 family, announces today the public availability of its SWID Tag Signing Guidelines.  This document defines the best practice for signing SWID tags in accordance with common industry standards.  When digitally signing SWID tags, software publishers/providers will, at minimum, follow the W3C XMLDSig recommendation, include an enveloped signature - the public signature of the signing entity, and add a timestamp per the W3C XAdES-T format.

The SWID tag signing guidelines were drafted with the needs of implementers in mind, but all members of the software ecosystem (publishers, tool vendors, service providers and end users) will find them useful.  When tags are signed and thus verifiable as being from an authoritative entity, they aid organizations in managing software assets, assessing and remediating security issues, supporting forensics and improving licensing accountability.  Signed SWID tags provide high value via trusted data.

Software end users benefit from SWID tags; the efficiencies that SWID tags bring to IT operations drive down costs and improve security. NIST has also been working to enhance the SWID tag standards and to promote their use as building blocks in security management. The U.S. Department of Defense has mandated the inclusion of SWID tags, and organizations like MITRE and the IEEE Clean File Metadata eXchange (CMX) team recognize the benefits of SWID Tags.  CMX identifies "clean" files from verified software sources and SWID tags provide an excellent platform for automating CMX data submission.

TagVault.Org Board Director, Mark Kennedy, Symantec notes, “By working together with the CMX team, publishers providing this information in their SWID tags provide a high value to security companies. This data allows security companies to differentiate commercially published and known files from potential malware threats and allows the automation of data population in the CMX repository in a secure and efficient manner.”

Find the TagVault.org Software identification Tag Signing Guidelines at: https://tagvault.org/swid-tags/guidelines/

About TagVault.Org
TagVault.org is a Federation Member Program of the IEEE Industry Standards and Technology Organization (ISTO) and publishes its Bylaws for public access. The TagVault.Org Board of Directors includes Microsoft, IBM, Symantec and the Department of Homeland Security. Organizations interested in joining TagVault.org can download the membership packet from www.tagvault.org.

Media Contact
Steve Klos
Executive Director, TagVault.org
+1 732 562-6031 
[email protected]