Dependency on WebP is a web of complexity
The swift response by maintainers of libwebp is to be applauded but the software development community has much more to do before sounding the ‘all clear’.
Adam Caudill of 1Password asks “Whose CVE Is It Anyway?”.?
…and unfortunately, this is just the tip of the iceberg.? Libwebp is also delivered with popular operating system distros and frequently layered into container images. The effort to assess internet exposed WebP has barely started.
Software composition analysis tools are a great help to development organizations seeking to identify dependency on libraries like libwebp. Similarly, binary analysis tools can help any organization identify such dependencies in applications they host.
领英推荐
We should expect identification of libwebp dependency in services operated by others to take much longer. Coverage will be limited even if vulnerability scanning tools emerge for testing WebP exploitability. Service operators need a way to convey 'all clear'.
You probably guessed this article is making a case for CISA vulnerability exchange (VEX). VEX can help enable situational awareness where transparency is lacking.? VEX details are challenging and 'the devil is in the details'. Nonetheless, service providers offering standardized VEX query automation feels like an appropriate direction that can scale into the future.
A more dystopian future is marked by compliance regimes with excessive vulnerability reporting requirements. Ask if reporting for WebP would have helped or hindered the initial response? CISA’s binding operational directive is a reasonable approach that helps organizations focus on remediation first and reporting later.
In summary, there is collectively much to do to improve vulnerability response capability. Mainstream cloud service provider capabilities are arguably raising the bar for everyone. Software composition analysis tools are a great help for many organizations even if blind spots still exist. VEX automation could be a path to improve response capability for complex supply chain dependency issues.
Head of Product Security at AVEVA
1 年For more on complexity with respect to services operated by others, check out Google's well reasoned discussion points on "SaaSBOM". In short SaaSBOM is potentially unbounded. https://downloads.regulations.gov/CISA-2023-0001-0097/attachment_1.pdf