May 23, 2019 by Oliver Sild
You have probably heard about the term “Virtual Patching”. This term was first used by IPS (Intrusion Prevention System) vendors many years ago. Virtual Patching term is actually not specific to web applications, but over the past years, you might see it mainly mentioned by WAF providers. It’s also called External Patching, Just-in-time Patching, etc.
The virtual patch is basically a rule (or bunch of rules) that mitigate the specific vulnerability in software without changing the vulnerable code itself. Managed Web Application Firewalls such as WebARX can ship virtual patches to the website automatically if a vulnerable software is present.
With modern web development practices, heavy usage of third-party components is becoming more and more popular. Fixing the vulnerable code within the third-party components usually requires the plugin developer to push an update with a fix.
We have seen reported vulnerabilities stay without a fix for many weeks or even months. For website owners/developers, analyzing the code and fixing it manually is usually not an option.
That’s where virtual patches come very handy!
Virtual patching can be especially good for companies that have multiple websites. If your sites have the same framework/CMS/plugins installed then central management of virtual patching can save you quite some time and a headache.
Few reasons why virtual patching is great for your sites:
Solutions like WebARX allow you to create rules on how the traffic flows on all your sites when specific conditions are met, but virtual patches are usually crafted by a dedicated security team.
They both have their own pros and cons, but it’s up to you to decide which one to get.
Web Application Firewall is a no-brainer for modern websites. While web apps are built like a lego from different blocks, it’s often hard to put enough attention to a single block to understand if it is secure or not while maintaining the productivity and getting the work done.
As modern websites are built on frameworks with a lot of third-party code, automatic virtual patches are must-have for every website.