Software developers have several robust software identification methods to choose from, including Common Platform Enumerations (CPE), Package URLs (PURL), Software Identification Tags (SWID) and Common Vulnerability and Exposures (CVE).
However, substantial gaps in software product identification still exist.
The gaps will persist until the software development community, encompassing both open-source and commercial developers (including cyber tool vendors) work together to establish standards for software identification. It is crucial to ensure consistency in the location of installed software identification information on devices. It is also unlikely that any one of the proposed standards will be adopted as a single standard for software identification. There is no easy fix to this, but coming to a consensus about both how software is to be identified on a device, and where that identification can be located by other tools would be a good starting point.
Download the whitepaper to learn more.
What more detail? Over the 2023-2024 academic school year, a group of George Mason University's Cybersecurity Engineering seniors worked on developing machine learning models to correlate software inventory data gathered from several cybersecurity tools with a pre-defined dictionary of known software products.
Learn more by reading their research paper.
