How to travel the C SAFely with .json when there are no Argonauts
The number of security-relevant vulnerabilities and upstream dependencies in IT-products is constantly increasing so that traditional vulnerability handling practices are no longer an option. In addition, current and upcoming European demands for transparency and adequate vulnerability management and disclosure processes to facilitate resilience and security throughout the supply chain. Consequently, automation is required.
Let us compare these demands with the journey of the Argonauts in Greek mythology, sailing off to fetch the Golden Fleece. One of the main characters in this talk is Jason and .json. The first stop is not Lemnos but a security-relevant finding and its reporting. Security researchers would love to find a standard-compliant security.txt and disclosure policies. As the Lemnian women named their children after the Argonauts, any appreciation e.g. a hall of fame would be desired. The second stop at the Island of Cyzicus is characterised by insufficient communication and misunderstandings, which is comparable to many disclosure processes. The lost comrades on the Argonaut’s journey can be seen as findings that are not acknowledged by product owners as security-relevant vulnerabilities. The Land of the Bebrycians, the Harpies and the Island of Dia stand for exhausting discussions with vendors. Medea, who possessed herself of the fleece and Hera helped the Argonauts. The latter by passing through the clashing rocks and saving Jason’s live, so does a coordination body. Mitigation measures are comparable to the experiences of the Argonauts when dealing with Absyrtus, the Sirens, the Phaecians and Talos. The homecoming with the Golden Fleece symbolising not only a happy end but the publication of a security advisory.