Tool Providers Figure Out How to Make SAM Easier!

SAM tool vendors are starting to realize the scope of the software identification problem and recognize this issue as one of the first items that needs to be standardized in order to automate SAM Processes and improve accuracy. Symantec and CA have both signed up as founding members of TagVault.org to help promote a fix to a systemic software industry problem.

Daniel Galecki, a Product Manager for the DDMI product from Hewlett Packard recently made a blog posting that presents some of the issues and complications of software identification and software license compliance.

Daniel GaleckiIn the blog posting, when discussing gaps in DDMI's software inventory, Daniel says, "But, as it turns out (hindsight being 20/20) the issue is much bigger than I thought."

Daniel discusses both software identification as well as license compliance and summarizes the various ISO/IEC 19770 standards, those published and those under development. Daniel provides a very clear and straight-forward description of ISO/IEC 19770-2:2009 software identification (SWID) tags when he describes them as follows, "That means, you will be able to read the tag information rather than relying on software recognition or other complex and potentially inaccurate and incomplete methods of identifying software."

Daniel ends up his posting with the same call to action TagVault.org promotes - namely, ask software vendors for conforming tags in every RFI and RFP - his posting says, "So, here is my call to action to all of you – start asking for ISO 19770-2 compliance on every RFI and RFP from today on!  It doesn't matter what the software is – if you buy it, you have to track it, so ISO 19770-2 compliance should be mandatory for all vendors."  As many know, the Air Force has already published a public RFP making just such a requirement.

How is your organization dealing with software identification procedures today? Does your software discovery and inventory providing 100% accurate details for all software on all platforms for all publishers? How far off are the reports your organization receives today and what would those inaccuracies cost if your organization was audited?

TagVault.org has provided wording that can be used in RFI and RFP documents for software purchases to ensure the software includes SWID tags. Inclusion of these tags will significantly reduce the risks of inaccurate reporting. Your organization should also be asking SAM tool providers if their products collect and utilize SWID tags and if they can validate the digital signatures in certified or signed tags. Efforts made to ensure software publishers include SWID tags in their software products and that SAM tools use those tags today will result in even more value when the ISO/IEC 19770-3 entitlements standard is completed.

Additionally, by requiring certified tags in software your organizations purchases, you ensure that your organizations will not have issues with vendors, "not fully or correctly implemet[ing] these standards" as Daniel mentions in the blog posting.