Updated: 03-03-21

What Is Virtual Patching?

Agnes Talalaev
from patchstack

You have probably heard about the term "virtual patching". This term was first used by IPS (Intrusion Prevention System) vendors many years ago.

Virtual Patching term is actually not specific to web applications, but over the past years, you might see it mainly mentioned by WAF providers. It's also called External Patching, Just-in-time Patching, etc.

What is virtual patching?

A virtual patch is basically a rule (or a bunch of rules) that mitigates a specific vulnerability in software without changing the vulnerable code itself.

Managed web application firewalls such as Patchstack can ship virtual patches to the website automatically if vulnerable software is present.

Patch vulnerability

OWASP has given virtual patching a definition which is:

"A security policy enforcement layer which prevents the exploitation of a known vulnerability."  (Source: owasp.org)

And explained that "The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of the virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed." (Source: owasp.org)

The era of plugin vulnerabilities

With modern web development practices, heavy usage of third-party components is becoming more and more popular. Fixing the vulnerable code within the third-party components usually requires the plugin developer to push an update with a fix.

We have seen reported vulnerabilities stay without a fix for many weeks or even months. For website owners/developers, analyzing the code and fixing it manually is usually not an option.

That's where virtual patches come very handy.

All security services are not able to send virtual patches because of the technology of their firewall.

  1. Endpoint web application firewalls. Endpoint WAF is something that is installed inside your application. It is more aware of the environment of your website than a cloud firewall. For example, Patchstack has an endpoint WAF, it can detect components and environment settings to adapt the firewall more efficiently.
  2. DNS or cloud-based firewalls. DNS WAF is something that is installed in front of your website's traffic. The whole traffic to your website is routed through a third-party server where the firewall engine analyses traffic and does its filtering. It usually has no awareness over the internals of the application and if your original website IP is known, it can be bypassed.

They both have their own pros and cons, but it's up to you to decide which one to get.

Why apply virtual patches on your websites?

Virtual patching can be especially good for companies that have multiple websites. If your sites have the same framework/CMS/plugins installed then central management of virtual patching can save you quite some time and a headache.

Few reasons why virtual patching is great for your sites:

  1. It's scalable as managed web application firewalls can deploy patches to a network of sites at the same time.
  2. It reduces the risk while the developer of a plugin/component releases the fix.
  3. Less risk for conflicts compared to when the code is manually patched.
  4. It provides protection to all sites almost immediately after discovery.
  5. Reduces time and money from remediations or from manual code patches.

How to apply virtual patch on your website?

Solutions like Patchstack allow you to create rules on how the traffic flows on all your sites when specific conditions are met, but virtual patches are usually crafted by a dedicated security team.

To add a virtual patch to your websites you need to:

  1. Create Your Patchstack account
  2. Add your website to Patchstack

Add websites

After you've added your site it will take roughly 10 minutes before the data starts showing up on the dashboard and the individual site page. In order to see the data of a specific site, find the Sites tab on the left menu and click on the site of your choosing.

After you've added your site it will take roughly 10 minutes before the data starts showing up on the dashboard and the individual site page. In order to see the data of a specific site, find the Sites tab on the left menu and click on the site of your choosing.

To check which security modules are attached to your sites find the Firewall tab on your left side menu.

Security module

When on the Firewall tab, click on Modules. There you will see different security modules by Patchstack. The basic module and virtual patches should be enabled by default and should not be turned off.

A professional website needs virtual patches

A web application firewall is a no-brainer for business websites. While web apps are built like a lego from different blocks, it's often hard to put enough attention to a single block to understand if it is secure or not while maintaining productivity and getting the work done.

As modern websites are built on frameworks with a lot of third-party code, automatic virtual patches are must-have for every website.

Share This Article
Related Articles
NO Credit card required

Protect your WordPress sites against plugin, theme and core vulnerabilities