You have probably heard about the term "virtual patching". This term was first used by IPS (Intrusion Prevention System) vendors many years ago.
Virtual Patching term is actually not specific to web applications, but over the past years, you might see it mainly mentioned by WAF providers. It's also called External Patching or Just-in-time Patching.
A virtual patch is a rule (or a bunch of rules) that mitigates a specific vulnerability in software without changing the vulnerable code itself. Managed web application firewalls such as Patchstack can ship virtual patches to the website automatically if vulnerable software is present.
OWASP has given virtual patching a definition which is:
"A security policy enforcement layer which prevents the exploitation of a known vulnerability." (Source: owasp.org)
And explained that "The virtual patching works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of the virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed." (Source: owasp.org)
With modern web development practices, heavy usage of third-party components is becoming more and more popular. Fixing the vulnerable code within the third-party components usually requires the plugin developer to push an update with a fix.
We have seen reported vulnerabilities stay without a fix for many weeks or even months. For website owners/developers, analyzing the code and fixing it manually is usually not an option.
That's where virtual patches come in very handy.
While Patchstack is triaging non-disclosed vulnerabilities, our PRO customers receive protection even for 0days which is not yet known to the public.
All security services are not able to send virtual patches because of the technology of their firewall, but what technology would you need to receive virtual patches?
Endpoint web application firewall
Endpoint WAF is something that is installed inside your application. It is more aware of the environment of your website than a cloud firewall. For example, Patchstack has an endpoint WAF, it can detect components and environment settings to adapt the firewall more efficiently.
DNS or cloud-based firewall
DNS or cloud WAF is something that is installed in front of your website's traffic. The whole traffic to your website is routed through a third-party server where the firewall engine analyses traffic and does its filtering. It usually has no awareness over the internals of the application and if your original website IP is known, it can be bypassed.
They both have their own pros and cons, but it's up to you to decide which one to get.
Virtual patching can be especially good for companies that have multiple websites. If your sites have the same framework/CMS/plugins installed then central management of virtual patching can save you quite some time and a headache.
Solutions like Patchstack allow you to create rules on how the traffic flows on all your sites when specific conditions are met, but virtual patches are usually crafted by a dedicated security team.
After you've added your site it will take roughly 10 minutes before the data starts showing up on the dashboard and the individual site page. In order to see the data of a specific site, find the Sites tab on the left menu and click on the site of your choosing.
To check which security modules are attached to your sites find the Firewall tab on your left side menu.
When on the Firewall tab, click on Modules. There you will see different security modules by Patchstack. The basic module and virtual patches should be enabled by default and should not be turned off.
A web application firewall is a no-brainer for business websites. While web apps are built like a lego from different blocks, it's often hard to put enough attention to a single block to understand if it is secure or not while maintaining productivity and getting the work done.
As modern websites are built on frameworks with a lot of third-party code, automatic virtual patches are a must-have for every website.