What Is Virtual Patching?

You have probably heard about the term “Virtual Patching”. This term was first used by IPS (Intrusion Prevention System) vendors many years ago.

Virtual Patching term is actually not specific to web applications, but over the past years, you might see it mainly mentioned by WAF providers. It’s also called External Patching, Just-in-time Patching, etc.

What is virtual patching?

A virtual patch is basically a rule (or bunch of rules) that mitigates the specific vulnerability in software without changing the vulnerable code itself. Managed Web Application Firewalls such as WebARX can ship virtual patches to the website automatically if a vulnerable software is present.

The Era of Plugin Vulnerabilities

With modern web development practices, heavy usage of third-party components is becoming more and more popular. Fixing the vulnerable code within the third-party components usually requires the plugin developer to push an update with a fix.

We have seen reported vulnerabilities stay without a fix for many weeks or even months. For website owners/developers, analyzing the code and fixing it manually is usually not an option.

That’s where virtual patches come very handy.

Why apply Virtual Patching on your websites?

Virtual patching can be especially good for companies that have multiple websites. If your sites have the same framework/CMS/plugins installed then central management of virtual patching can save you quite some time and a headache.

Few reasons why virtual patching is great for your sites:

1. It’s scalable as managed web application firewalls can deploy patches to a network of sites at the same time.
2. It reduces the risk while the developer of a plugin/component releases the fix.
3. Less risk for conflicts compared to when the code is manually patched.
4. It provides protection to all sites almost immediately after discovery.
5. Reduces time and money from remediations or from manual code patches.

How to apply Virtual Patch on your website?

Solutions like WebARX allow you to create rules on how the traffic flows on all your sites when specific conditions are met, but virtual patches are usually crafted by a dedicated security team.

1. Endpoint Web Application Firewalls. Endpoint WAF is something that is installed inside your application. It can’t be bypassed and is often more aware of the environment of your website. For example, WebARX has an endpoint WAF, it can detect components and environment settings to adapt the firewall more efficiently.
   
2. DNS Firewalls. DNS WAF is something that is installed in front of your website’s traffic. The whole traffic to your website is routed through a third-party server where the firewall engine analyses traffic and does its filtering. It usually has no awareness over the internals of the application and if your original website IP is known, it can be completely bypassed.

They both have their own pros and cons, but it’s up to you to decide which one to get.

To sum it up

Web Application Firewall is a no-brainer for modern websites. While web apps are built like a lego from different blocks, it’s often hard to put enough attention to a single block to understand if it is secure or not while maintaining the productivity and getting the work done.

As modern websites are built on frameworks with a lot of third-party code, automatic virtual patches are must-have for every website.

Enable virtual patches on your website now!

Try for free