Virtual Patching

Virtual Patching is a security policy enforcement layer which prevents and reports the exploitation attempt of a known vulnerability. This layer analyzes the transactions and intercepts attacks in transit, so malicious traffic never reaches web application. The impact is that actual source code of app has not been modified so exploitation attempt does not succeed.

From purely technical perspective, best remediation would be to fix the code, but in real world business situations updating source code is not easy due to many reasons:

  • Lack of resources
  • 3rd Party software
  • Outsourced Application Development

Virtual patching is done by OpSec team while code fix is done by developers.

Goals of virtual patching is to :

  • Minimize time-to-fix
  • Attack surface reduction

Virtual patching tools:

  • Intermediary devices i.e. WAF or IPS appliance
  • Web server plugin i.e. ModSecurity
  • Application layer filter i.e. ESAPI WAF

Virtual Patching Methodology

Consistent repeatable process provides best chance of success. Virtual patching workflow adopted in organizations has following phases :

  • Preparation Phase
    • Public/Vendor Vulnerability Monitoring
    • Virtual Patching pre-authorization
    • Deploy virtual patching tool in advance
    • Increase HTTP Audit Logging (Request URI, Full request header & body, Full response header & body)
  • Identification Phase
    • It occurs when organization becomes aware of vulnerability in application.
    • Proactive identification: By assessing web security posture through DAST and source code reviews
    • Reactive identification: Vendor contact, Public disclosure, Security incident
  • Analysis Phase
    • Determine virtual patching applicability
    • Utilize bug tracking system
    • Verify name of vulnerability
    • Designate impact level
    • Specify which versions of software are impacted
    • List what configuration is required to trigger the problem
    • List PoC exploit code or payloads used during attack
  • Virtual Patch Creation Phase
    • No flase positives : Do not block legitimate traffic ever
    • No false negatives : Do not miss attacks ever
    • Manual Virtual Patch Creation
      • Whitelist virtual patches (recommended solution) – specifies characteristics of valid input
      • Blacklist virtual patches – a set of rules to detect specific known attacks
    • Automated Virtual Patch creation
      • OWASP ModSecurity Core Rule Set (CRS) Scripts – to auto-convert XML output from tools such as OWASP ZAP into ModSecurity Virtual Patches
      • ThreadFix Virtual Patching – automated tools for converting imported vulnerability XML data into virtual patches for security tools such as ModSecurity.
      • Direct importing to WAF device –  import of DAST tool XML report data leads to automatically adjustment of protection profiles by WAF devices
  • Implementation/Testing
    • Using web clients, Local proxy servers, ModSecurity AuditViewer
    • Implement virtual patches first in “Log Only” config to ensure no false positives
  • Recovery/Follow Up
    • Periodic re-assessments
    • Update data to ticketing system

Source : OWASP Virtual Patching Cheat sheet


8 – Perseverance, Persistence and Determination

Perseverance is one characteristic shared by all successful people throughout history. Perseverance is true essence of success.

Persistence – Act of holding firmly and steadfastly to a purpose, state, goal or undertaking despite obstacle, warning or setbacks.

Determination – Quality of mind which reaches definite conclusions, resoluteness

Perseverance – Persistent determination

Persistence is not insanity. Giving up your purpose or goal due to obstacles – that’s insanity.

The key to determination is word “decision”. You must decide what you want before you can get it. Determination takes great self-confidence and decisiveness. You must be willing to completely disregard all alternatives to your decision and set it clear in your mind that you must and you will.

Perseverance is great word that is defined by persistent determination.


From book “Year to Success” by Bo Bennett

7 – Using Humor Effectively

Laughter is best medicine known to mankind. Development of good sense of humor and ability to make people laugh can do more good for those you come into contact with.

Beside making people happy and feel good, humor can be used to make light of an awkward situation and ease both tension and ill feelings while building rapport. In speaking or writing situation, humor can keep audience interested and helps you to become better communicator.

People have different senses of humor, even though humor is recognized and effects of humor remains.

Here are some different kinds of humor that you can use :

  • The Joke.
  • The Funny Story
  • The impersonation
  • Physical Comedy
  • What ifs
  • Sarcasm
  • Slapstick comedy

Some “Rules of Humor”. Follow them and humor will serve you well. Break them and you’ll be subject of other people’s humor.

  1. Never ever take credit for someone else’s joke
  2. Make sure your joke or something funny is always to new audience
  3. Be appropriate
  4. Keep it short
  5. Be smooth
  6. Timing
  7. Relevancy
  8. Do not make joke at other people’s expense
  9. Dont overdo it
  10. Don’t be corny

When humor fails-

  • Cover up by asking question
  • Dont laugh at your own jokes and people may not think you were trying to be funny

Using humor effectively requires practice and self-confidence.

From book “Year to Success” by Bo Bennett

6 – Positive Mental Attitude

We have great sense of control over our attitude. We can choose to focus on negative or positive in a situation. A positive mental attitude is something everyone can adopt with little practice. It is also significant factor in success.

PMA is seeing good in situations rather than setbacks. More important, it is focusing on positive and using it to your advantage. It is the thriving force behind persistence and perseverance.

After adopting a positive mental attitude you will find more opportunities, successes and luck in your life than ever before. It has to do with focus and perception. It is a snowball effect, once begun, builds and grows stronger with each positive event in life.

Tips to build PMA –

  • Scrutinize every event in your life that appears negative and look for positive. List the positives from that situation. Do not give up until that list is equal or greater than negative.
  • Surround yourself with positive people. Negativity is contagious than common cold.
  • Read and listen to positive, motivational and inspirational material.
  • Avoid morning news and news before bedtime. Start and end your day with inspirational music or good conversation.
  • If you catch yourself thinking negative. STOP IMMEDIATELY. Take deep breath and do as first suggestion.

PMA will certainly bring one giant leap closer to success.

From book “Year to Success” by Bo Bennett

5 – General Life Purpose

What is your general purpose on earth? Does your existence make the world a better place?

Consider statements below and think where you currently fit in. There is no right or wrong answer.

  1.  I am here to live the highest quality life I can. This includes working towards constant self-improvement and engaging in leisure activities. My time on earth is limited, and I will do what I can do to get most self-gratification possible.
  2. It is my purpose to provide for my family and give my family highest quality of life possible. My free time should be spent with my family, for my family.
  3. My purpose on earth is to do good for as many people as possible within my lifetime. I realize that there is world beyond myself and my family needs something that I can provide.

Don’t confuse general life purpose with just “life purpose.” General life purpose is a starting point for determining your life purpose that helps you decide who and what is most important in your life right now. See this as a scale with your typical self-centered individual on one end and someone like Gandhi on the other end.

This exercise in finding your general life purpose is one of the many very important first steps to success. You must be at peace with yourself and feel no guilt as to what you desire from life. Once you have this confidence, the pursuit of your goals becomes easier and more enjoyable.

From book “Year to Success” by Bo Bennett

4 – Inspiration from Henry Ford

Henry ford was founder, VP and chief engineer of Ford Motor Company.

Success is age independent – Henry Ford constructed his first steam engine at age of 15.

Success is not formal education – Ford’s formal education was limited to be about 3 years.

Success is fueled by failure – After 2 unsuccessful attempt to establish automobile company, Ford Motor was incorporated in 1903 with Henry as VP and chief engineer.

Success is problem-solving – Even after unpleasant monotony of assembly-line work and repeated increase in production quotas assigned to workers, monthly labor turnover increased to 60 from 40 percent because of doubling daily wage and shaving one hour off the workday by Henry ford.

Success is overcoming competition – In 1905, 50 start-up companies tried into auto business, and ford succeeded.

Success is doing what you feel in your gut is right, despite public opinion – Wall street journal called raise to daily wage an “economic crime” and critics coined pejorative term “Fordism” to reflect disgust in ford’s practice.

Success is seeking out those who can help you with your goals – In 1903, ford found twelve people willing to invest a total of $28k in motor company. Ford begin production of Model A car which sold well and company’s profits reached $1,100,000 in 1907.

From book “Year to Success” by Bo Bennett

3 – Remembering and Using People’s Names

It has been said that person’s name is most important in the world to that person. Using a person’s name in conversation is one of best ways to build rapport.  So step one is remembering name.

Memory works by process of encoding and decoding, commonly referred as recall. Each time memory is recalled, it gets re-encoded, which means it changes over time.

Steps to follow when you meet people?

  1. Listen and pay attention to name.
  2. Repeat immediately
  3. Repeat often
  4. End conversation with person’s name
  5. Comment/ask questions about the name
  6. Review the name and face of person after conversation is over.

Memory is linked to senses and emotions. Mixing the emotion and senses into remembering name will make name difficult to forget.

Techniques used to remember names –

  1. Face association
  2. Substitution – associating name with some object that you can visualize with name
  3. Paint their name on their forehead in imagination
  4. Association with someone you know

From book “Year to Success” by Bo Bennett

2 – Why Success?

Humans are driven by desire to feel important. We all want to know that our lives make a difference in positive way. So in some way we want to know that world is better place because we are part of it. Success is a way of saying just that.

People who do not desire success will rarely achieve it. You must be ready for it and pursue it with passion.

To most people, success includes these :

  • living your dream
  • living every day with passion
  • having true wealth
  • learning appreciation and gratitude
  • positively influencing lives of others in some way
  • true happiness
  • having loved ones with whom to share it all

Consider “PERMA” – the five dimensions of well being when you define your success.

  • P – Positive emotions
  • E – Engagement
  • R – Relationships
  • M – Meaning/Purpose
  • A – Achievement

No matter what is your definition of success, pursue it with passion and determination.

Mark this day as day of commitment to change your life for better and start embracing life rather than just living it.

From book “Year to Success” by Bo Bennett

1 – Introduction

Success is best achieved by working on many aspects of personal development.

Well-being is measurable construct that is less nebulous than success and more comprehensive.

As learning beings, we must be open to change our beliefs and views based on new information.

Think of success as a game of chance in which you have control over the odds. Beginning to master the concepts in personal achievement increases the odds of achieving success. It has been said that one line of wisdom can change your life more than volumes of books.

Education + Inspiration + Action = Success

From book “Year to Success” by Bo Bennett