Dependency on WebP is a web of complexity

The swift response by maintainers of libwebp is to be applauded but the software development community has much more to do before sounding the ‘all clear’.

Adam Caudill of 1Password asks “Whose CVE Is It Anyway?”.?

Adam’s illustration is worth a 1000 words.

…and unfortunately, this is just the tip of the iceberg.? Libwebp is also delivered with popular operating system distros and frequently layered into container images. The effort to assess internet exposed WebP has barely started.

Software composition analysis tools are a great help to development organizations seeking to identify dependency on libraries like libwebp. Similarly, binary analysis tools can help any organization identify such dependencies in applications they host.

We should expect identification of libwebp dependency in services operated by others to take much longer. Coverage will be limited even if vulnerability scanning tools emerge for testing WebP exploitability. Service operators need a way to convey 'all clear'.

You probably guessed this article is making a case for CISA vulnerability exchange (VEX). VEX can help enable situational awareness where transparency is lacking.? VEX details are challenging and 'the devil is in the details'. Nonetheless, service providers offering standardized VEX query automation feels like an appropriate direction that can scale into the future.

A more dystopian future is marked by compliance regimes with excessive vulnerability reporting requirements. Ask if reporting for WebP would have helped or hindered the initial response? CISA’s binding operational directive is a reasonable approach that helps organizations focus on remediation first and reporting later.

In summary, there is collectively much to do to improve vulnerability response capability. Mainstream cloud service provider capabilities are arguably raising the bar for everyone. Software composition analysis tools are a great help for many organizations even if blind spots still exist. VEX automation could be a path to improve response capability for complex supply chain dependency issues.

Bryan Owen

Head of Product Security at AVEVA

1 年

For more on complexity with respect to services operated by others, check out Google's well reasoned discussion points on "SaaSBOM". In short SaaSBOM is potentially unbounded. https://downloads.regulations.gov/CISA-2023-0001-0097/attachment_1.pdf

回复

要查看或添加评论,请登录

Bryan Owen的更多文章

  • Key Takeaways from S4x25

    Key Takeaways from S4x25

    #S4x25 continues to draw an unprecedented gathering of OT security practitioners. It’s exciting and inspiring to engage…

    5 条评论
  • Downturn in Ransomware Attacks?

    Downturn in Ransomware Attacks?

    As much as it would be great to declare a downturn in ransomware attacks on critical infrastructure it seems premature…

    1 条评论
  • Crisis of Confidence in US Critical Infrastructure

    Crisis of Confidence in US Critical Infrastructure

    Cybersecurity events, especially those associated with destructive malware, sadly have become commonplace. Whether…

    6 条评论
  • 10 Security Tips for Building a New Daily Driver PC

    10 Security Tips for Building a New Daily Driver PC

    Working from home has sparked demand for technology including new PCs. PC hobbyists, like you, find excitement and…

  • 2020-02 Open Letter to the US Cyberspace Solarium Commission

    2020-02 Open Letter to the US Cyberspace Solarium Commission

    Optimistic remarks about the US Cyberspace Solarium Commission by Tom Fanning, CEO Southern Company, at the 2019 NERC…

    12 条评论

社区洞察

其他会员也浏览了