Today’s systems can be considered as very advanced as well as complex, with multiple dependencies and interrelationships. It requires a lot of time to develop a fix and test it in operation. Implementation of a virtual patch does not modify the operation of the underlying application or the systems that interact with it. It is possible to run the patch in monitor mode to evaluate any potential impacts before turning on the blocking functions.
Goals of Virtual Patching
There are numerous scenarios where organizations can’t simply immediately edit the source code, the value of virtual patching becomes noticeable.
The two primary goals of Virtual Patching are:
- Minimize Time-to-Fix:
Fixation of application source code needs time. Virtual patches are used to immediately implement a mitigation for a vulnerability that has been identified.
- Reduce the Organization’s Exposure: Focus on minimizing the attack vector.
(a) In certain circumstances, it is practicable to attain 100 percent of attack surface reduction, like missing positive input validation security.
(b) In other cases, the virtual patch might not be able to mitigate the vulnerability completely. But it can lessen the potential of an offender to exploit it by restricting inputs and outputs of system interactions.
For example, the offender can send the attack to the system but the WAF can block any of the outputs that could be returned to the attacker.
Advantages of Virtual Patching
From an organizations perspective, the merits are:
- It reduces the cost of emergency patching.
- It gives protection for mission-critical components that might not be taken offline.
- It is a scalable solution as it needs to be installed in a few locations, rather than on all of the hosts in a network.
- Since the libraries and support code files are not altered, a virtual patch is less likely to produce conflicts in the system.
- It reduces risk until an effective patch is released by the application vendor or while a patch is being tested and applied.
- Even though a vulnerability occurs in between scheduled patch releases, virtual patching helps the organizations to maintain their normal patching cycles without affecting the operations
The benefits from a web application security consultant’s perspective, virtual patching reveals another approach for providing services to their clients. At present, a consultant can offer to create virtual patches to externally address the issues outside of the application code.
See the link: Virtual Patching