Normalized data in CyberSecurity Asset Management (CSAM) has software applications categorized based on an internally developed classification/ categorization system. The categorization, which gives the user an idea about the primary function of the product, has been derived from standard industry terms as well as other well-known industry classification systems.
It follows a two-level classification system – namely Level 1 Category and Level 2 Category
Level 1 Category: Major or broad category to which the software application belongs.
Level 2 Category: Subcategory, i.e. specific to the product's core function.
Examples:
a) McAfee Endpoint Security Platform → Security / Endpoint Protection → Level 1: Security, Level 2: Endpoint Protection
b) Oracle MySQL → Databases / RDBMS → Level 1: Databases, Level 2: RDBMS
Few other examples of categories:
Application Development / Framework
Security / Endpoint Management and Security
Application Development / Development Tool
Network Application / Internet Browser
Storage / Backup and Recovery etc.
There are currently 29 Level 1 categories and 149 Level 2 categories for classifying software applications. Qualys is continuously updating its taxonomy for classifying more diverse range of software products, so these numbers are subject to change.
Developer/Publisher or current owner of the Software product. Example: Apple, Microsoft
Name of the Software product.
Product Family
Name of the broader umbrella of products under which that software product is offered.
Example
"Microsoft Office 365" and "Microsoft Office Project" belongs to the Office family of products.
Edition
Determines if the software product belongs to any particular edition that is defined by the publisher
Example:
Adobe "Acrobat DC" is distributed under below two editions :
Professional
Standard
Market Version
Name, number or any value assigned to the major release of the product
Examples:
a) "Oracle 10g Client 10.2.1" - Market Version: 10g
b) "Adobe Acrobat 9 Pro 9.5.2"- Market Version: 9
c) "Visual Studio Community 2017 15.9.7" - Market Version: 2017
Version
Major and minor version of the product
Examples:
a) "Oracle 10g Client 10.2.1" - Version: 10.2
b) "Adobe Acrobat 9 Pro 9.5.2" - Version: 9.5
c) "Visual Studio Community 2017 15.9.7" - Version: 15.9
Update
Service pack number, update, maintenance release etc. of the product
Examples:
a) "Oracle 10g Client 10.2.1" - Update: 10.2.1
b) "Adobe Acrobat 9 Pro 9.5.2" - Update: 9.5.2
c) "Visual Studio Community 2017 15.9.7" - Update: 15.9.7
Architecture
Determines whether the software follows 32-Bit or 64-Bit architecture.
Component
Determines that software product is a either a Client or a Server. This field is populated depending upon whether the installed software follows client-server architecture or not.
Language
Sometimes the product may be using a specific language based on the region or end user preference. This field determines the language that particular installed software uses e.g. English (United States), English (United Kingdom), French, German, Chinese (Traditional) etc.
Release
Combination of publisher, product family , product, component, major release, version, update, edition, architecture of the installed software.
Example
"Microsoft Office Project Client 2013 15 SP1 Professional 64-Bit"
In the above case → Publisher: Microsoft, Family: Office, Product: Project, Component: Client, Market Version: 2013, Version: 15, Update: SP1, Edition: Professional, Architecture: 64- Bit
Lifecycle
Lifecycle information provides key milestones and dates related to the support of a software application. CSAM currently has lifecycle information for nearly 1700 publishers and over 65,000 software releases.
Exact and Estimated Lifecycle:
Key publishers such as Microsoft, Adobe, IBM, Cisco, Oracle, VMware among others have well documented support polices and support dates published for majority of their products. CSAM team continuously tracks and curates data from these sources to provide lifecycle information in a standardized and structured format.
However, support information may not available publicly and it is difficult to determine the exact date when the software application version will become obsolete/ unsupported. For such cases, CSAM provides its users with estimated support stages and dates. These estimates are derived from standard support time frames followed across the industry. In such cases, users will see the label ‘estimated’ against lifecycle information. Some of the the software manufacturers do not publish the support dates for their products at all, such as SAS, SAP, HP, Apple etc.
Lifecycle Data Points:
- Generally Available or GA: Indicates that the software application release is actively supported by its publisher.
The date mentioned corresponds to the day on which the software application version was made generally available.
- End-of-Life or EOL: Indicates that publisher has ceased to provide the first level of support for the software application release.
The date corresponds to the day on which the software application version has reached or will reach EOL stage.
- End-of-Service or EOS: Indicates that the software application release, has reached or will reach, the final level of support. After End-of-Service, the product is not supported anymore. The date corresponds to the day on which the software application version has reached or will reach End-of-Service or EOS.
- OS Dependent: Indicates that lifecycle of a software application release follows that of its compatible operating system.
- Beta: Indicates that the software application release is still in beta phase and a stable version has not been released. Such versions will not have a GA date.
- Not Applicable: Indicates specific software application release is not available.
- Unknown: Indicates that lifecycle information for the application release is not published by software publisher nor can it be estimated.
- Support Stages: Indicates the nature of support that is being offered by the publisher for a software release. For instance, for Microsoft applications, it will indicate whether the release is under Mainstream Support or Extended Support. Similarly, for Oracle it will indicate if the release is under Premier Support or Extended Support.
- Support Stage Attributes: Indicates that the EOL and EOL/EOS support stages that are captured are corresponding to the vendor defined support stages. Each vendor have their own terminologies to express these support stages and those vendor defined terminologies are reflected under support stage attributes.
Examples:
a) MongoDB, Inc. defines EOL support stage for their products as "End of Life" whereas Python defines the EOL support stage for their products as "End-of-life"
b) Dell EMC, under their lifecycle policy, defines EOL support stage as "Long Term Support (LTS)" whereas Jenkins defines the EOL support stage as "LTS"
License Category
Indicates the type of license under which the software product is available, followed by the particular license model the product follows. There are majorly two types of licenses that exist: Commercial and Open Source.
1) Commercial : The product is available under proprietary license i.e the publisher retains intellectual property rights such as copyright of the source code
Models Covered:
- Commercial / Free: The product is available under proprietary license and all features of a product are available free of charge.
- Commercial / Licensed: The product is available under proprietary license and user has to pay only a one-time charge for purchasing the license.
- Commercial / Freemium: The product is available under proprietary license and only certain features of a product are available free of charge.
- Commercial / Subscription: The product is available under proprietary license and user has to pay charges on a monthly/yearly or any other predetermined frequency to renew the product's license.
- Commercial / Licensed or Subscription: The product is available under proprietary license and the user has the option to avail the license by paying a one time charge (perpetual) or on a subscription basis.
- Commercial / Trial: The product is available under proprietary license and user has a license only for a limited trial period. After the trial period, user has to pay for a perpetual license or a subscription to continue using the product.
Examples:
a) "Microsoft Edge" Licensing: Commercial / Free
b) "Adobe Photoshop" Licensing: Commercial / Licensed
2) Open Source: Open source software is distributed with source code that may be freely accessed, used, modified and shared by its users. However, terms and conditions for sharing and modifying the source code vary by the type of open source license used. The Second value denotes the model of the Open Source License that the software follows.
Examples:
a) "MongoDB" Licensing: Open Source / GNU Affero General Public License v3 (AGPL-3.0)
b) "PHP" Licensing: Open Source / PHP License (PHP-3.0)
CSAM currently has coverage of around 75 unique Open Source license models captured till date.
TYPE: UNKNOWN
Indicates that the software application data has not been normalized. For such data, category, lifecycle and license information has not been populated.
TYPE: OTHER
The software listed under ‘Other’ are supporting packages associated with other software products. They can either be library packages, helper packages, installers/ uninstallers, setup packages or part of an operating system. There are currently 31 categories to classify such software packages. Publisher, lifecycle and license information is not provided against such packages.