Software Identification

Understanding the Methodologies (And Why it Matters)

Kris BarkerCo-founder & CEO Express Metrix / Apptria Technologies

Agenda

Software Identification – Why Do We Care? The Role of SAM Tools Identification Challenges Identification Methodologies Software Tagging Standard Technology Selection Criteria Summary and Q&A

About Express Metrix

Recognized leader in IT asset management solutions

Express Software Manager (flagship product) known for superior software identification

Software catalog under development over 15 years

Launched Apptria Technologies in June, 2011 to help ISVs improve identification within their products

Software Identification:Why Do We Care?

License compliance Cost control (license “right-sizing”) Corporate software standards Migration planning Version control Security (malware) Nuisance applications Network impact

The Role of SAM Tools

SAM is a process

Tools are a part of the process

Software identification is part of the tool

▫ Accuracy should be key evaluation criteria

▫ Identification is not foolproof ∴ tools must be flexible!

SAM Tool 3-Step Process

1. Data Collection(discover what’s out there)

2. Identification(recognize & normalize)

3. Reconciliation (compare to entitlements)

Where Identification Takes Place

At the point of data collection

▫ Locally (resident agent)

▫ Remotely (remote access)

On the back end

▫ From collected raw data

▫ Based on other identification criteria

Identification Challenges – Inconsistency Rules!

Evals, betas, RCs Non-standard installation techniques (unzip / copy vs.

install, non-MSI installs) Inconsistently specified data (names, versioning, etc.) Homegrown applications Installation based on components vs. licensable entities Suites and application editions Application plugins / non-executable applications Scarcity of ISO software id tagging Etc.

Identification Methodologies

Registry (Add / Remove) analysis

Installer (MSI) database

File header analysis

Software identification database

Software id tagging

Registry (Add / Remove) Analysis

Identification based on values in the registry and/or items shown in Add / Remove ProgramsPros

▫ Easy to collect (including remotely)▫ Fast

Cons▫ Limited based on installation mechanism (incomplete)▫ Does not match 1-to-1 with entitlement requirements▫ May not sufficiently indicate/include version and/or SP level▫ May not include installation location information▫ May be inconsistent across releases

Installer (MSI) Database

Information obtained by querying the installed application databasePros

▫ Easy to collect basic data▫ Can also collect component relationships, etc.

Cons▫ Limited based on installation method (MSI)▫ May not match 1-to-1 with entitlement requirements▫ May not sufficiently indicate/include version and/or SP level▫ May be inconsistent across releases

File Header Analysis

Information contained within header of application executable filesPros

▫ Simple process (disk scan)▫ Finds everything executable

Cons▫ Requires full disk scan▫ Requires that each file be opened/read▫ Can’t tell file/application/entitlement relationship▫ Can’t completely determine suites▫ Data often inconsistent/incomplete▫ Shared component data may not be useful

Software Identification Database(Software Catalog)

Collected file and other signatures compared against a database of normalized applicationsPros

▫ Can include file/application/entitlement relationship▫ Normalized, consistent application data (apples to apples)▫ Can handle suites, editions, other “more than .exe” apps▫ Can include other related information (categories, use rights)

Cons▫ Never 100% complete▫ Must be regularly updated

Express Software Identification Database (ESID)*

Identification method utilized by Express Software Manager (client collects raw inventory/usage data)

Built on file information derived from combination of: Registry analysis Installer database File header analysis Start menu Software id tags Etc.

Designed to allow software to be organized and viewed based on licensing/entitlement

Ensures normalization / consistency Updated monthly* OEMed to technology providers as the Apptria Software Catalog

Express Software Identification Database

Software ID Tagging

Identification based on client-resident “tags” indicating the presence of applicationsPros

▫ Normalized identification present on client▫ Doesn’t depend on installation mechanism▫ Can be present without any local component/executable▫ ISO standard▫ Relationship to entitlement standard for reconciliation

Cons▫ Not (yet) widely adopted▫ Questionable relevancy for older apps▫ Mixed environments create tool challenges

Software Tagging Standard

ISO 19770-2 standard in place since November, 2009 TagVault.org created as registration authority and information hub

(info, tools, source code, etc.) End-user interest

▫ Large companies starting to request from vendors▫ Push from governmental agencies

Publisher / tool support▫ Adobe & Symantec leading the way▫ Most tool vendors have stated or planned support▫ Microsoft recently announced it will support

Entitlement (19770-3) standard work in progress

Technology Selection Criteria

Collects everything (or close to it!)

Normalizes identified titles/vendors

Identifies with entitlements in mind

Provides means of handling unidentified commercial apps and homegrown apps

Analyzes and presents data in a way that addresses business issues

Summary

Normalized, thorough identification is critical for effective SAM

Tools utilize different (and sometimes multiple) methods, each with pros and cons

Software tagging provides the promise of standardized identification, but timeframe is uncertain

Tools will always require some manual intervention – no identification method is perfect

Learn More AboutExpress Software Manager

30 day EvaluationExpressMetrix.com/trial

Live Product Demonstration ExpressMetrix.com/products/webinars

Self-Guided Flash Demo ExpressMetrix.com/products/demo

Questions?

Kris Barkerkbarker@expressmetrix.com

Learn More AboutExpress Software Manager

30 day EvaluationExpressMetrix.com/trial

Live Product Demonstration ExpressMetrix.com/products/webinars

Self-Guided Flash Demo ExpressMetrix.com/products/demo