Browse Prior Art Database

A Method and System for Software Tagging to Bind Software Provenance for Risk and Lifecycle Management

IP.com Disclosure Number: IPCOM000240183D
Publication Date: 2015-Jan-09
Document File: 3 page(s) / 44K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method and system for utilizing tagging to bind software provenance to deployed software, where information may be gathered on software download or may have been predefined for software deployed from a known, trusted deployment site. The method and system builds a full list of software by provenance so that software source can be taken into account as part of the risk assessment of a workstation and the risk remediation plans for the software.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 41% of the total text.

Page 01 of 3

A Method and System for Software Tagging to Bind Software Provenance for Risk and Lifecycle Management

Currently, to support Software Oriented (SO) clients one or more privileged administrators need to add one or more specific software tools to client workstations for executing one or more administrative tasks. The one or more tools are open source, third party or other applications which are not a part of a standard workstation image. There is no mechanism to distinguish between instances of a tool downloaded from a trusted site and instances of the tool downloaded from an external non trusted mirror website. The current approaches for managing tools and their updates are also manual and error prone.

Disclosed is a method and system for providing a tagging/marking scheme for one or more software that is available through one or more trusted sources to prevent malware entry on one or more client workstations. The method and system builds one or more comprehensive lists of one or more software deployed on one or more workstations in an environment. Subsequently, based on the one or more comprehensive lists, the method and system identifies one or more risks and suggests one or more mitigation actions.

Consider a scenario wherein in a SO environment one or more software have a tag associated with a known provenance. Based on the tag associated with the one or more software, the software deployment is approved. In an embodiment, the method and system disclosed herein also identifies one or more software that do not have a tag associated with the one or more software. Based on the identification, appropriate actions are taken to avoid any risk of malware entry.

In an exemplary implementation of the method and system disclosed herein, the software deployment process is annotated to include a tag that indicates "source" of the code/deployment method. In an embodiment, the source information includes information such as, but not limited to Uniform Resource Identifier (URI) from which the code was downloaded/installed, date of download, date of deployment, and version information for the software.

In an embodiment, the method and system can be embedded into one or more software lifecycle management tools, and with one or more standard tools such as web browsers used to download one or more files.

In an exemplary implementation of the method and system disclosed herein, the source tag is included with the software and installed on the target machine when code is downloaded. In an embodiment, source tag information is provided as part of a software repository that is downloaded for install and is included in a special tag file that is installed with the software. In another embodiment, source tag information is created as part of the download process through one or more agents/processes on a target machine. For example, for creating a tag during a download process of a file from a browser, the browser is used to trigger the download and...