Data suggests that 99% of successful cyber attacks involve and will continue to involve vulnerabilities that cybersecurity professionals know of for at least a year. As we move towards rapid digital transformation, we have 2 million+ apps available for downloads and we write more than 111 billion lines of software code each year. The speed at which new apps, software, and websites are created is generating a massive increase in the number of vulnerabilities available for attackers to exploit. Many of these vulnerabilities cannot be immediately remediated/ fixed and it is in this context that virtual patching comes in handy.

What is Virtual Patching?

Virtual patching is a short-term, quick development and emergency implementation of security policies. It provides a security layer enforcement to ensure that attackers cannot exploit the known vulnerability. Virtual patching, also known as external patching and just-in-time patching, neither modifies the source code nor fixes the underlying vulnerability. It only provides a layer of security by analyzing the web traffic, intercepting attacks in transit, and blocking malicious actors and bad requests from exploiting the vulnerabilities. It essentially acts as a shield between the traffic and the application, and if effective, prevents attacks from occurring.

Why is Virtual Patching Important?

Common questions that arise are:

Why not just fix the code, instead of virtual patching? Is it that difficult to fix the code or release a patch?

In fact, it is. Data suggests that it takes anywhere between 50 and 140 days to fix/ remediate even critical and high-risk vulnerabilities. Leaving vulnerabilities unprotected for such a long time is like serving the attackers with the opportunity to attack the website/ application on a golden platter. There are also other reasons why vulnerabilities cannot be fixed/ remediated immediately.

  • The source code cannot be fixed by the client/ customer; developers must fix code. This is the case when coding is outsourced, or the organization is using third-party software or service.
  • The vendor may not immediately have a patch or an update when the vulnerability is disclosed and may take longer to officially release it.
  • Not all vulnerabilities can be fixed owing to budgetary and financial constraints. There are an umpteen number of vulnerabilities and fixing all of them would be a big financial burden. So, organizations tend to prioritize and fix the critical and high-risk vulnerabilities first.
  • The organization could be using a legacy code or a product whose vendor is out of business, which translates into no fixes or patches. Upgrading/ migrating from legacy systems or applications may be costly and time taking process and organizations cannot afford the disruptions resulting from such a process.

Virtual patching is valuable and critical in such scenarios. It shields the vulnerabilities externally and protects the application/ website from attacks, giving organizations and developers time to fix the vulnerability.

Other Benefits of Virtual Patching:

  • Organizations do not have to face downtimes and can have their mission-critical components online while they develop a fix or a permanent patch.
  • It is scalable as it does not have to be installed on all hosts and can be implemented from a few locations.
  • In the case of low-risk vulnerabilities, it saves time, money, and effort spent by the organization.
  • It helps organizations to maintain normal patching cycles.
  • It provides a footprint of an attacker intent and could be a data point to further improve defense posture for future (block the user permanently, block the IP)

Why Is It Not Enough Alone, By Itself?

  • Virtual patching is a temporary, quick-fix, and external setup, not an actual fix. It does not fix the underlying flaw/ misconfiguration/ coding error. It only averts the immediate crisis, giving time to the developers to fix the vulnerabilities.
  • Virtual patching addresses only some of the ways in which the vulnerability can be exploited, it may not be securing all the entry points.

Conclusion

In today’s dynamic environment where keeping up with growing numbers of vulnerabilities is challenging, virtual patching is a lifesaver. However, it is important to remember that these are emergency solutions to reduce risk and not an actual solution. Virtual patching needs to be part of a comprehensive and managed security solution such as AppTrana to ensure a robust security posture.