Virtual Patching

Virtual Patching is a security policy enforcement layer which prevents and reports the exploitation attempt of a known vulnerability. This layer analyzes the transactions and intercepts attacks in transit, so malicious traffic never reaches web application. The impact is that actual source code of app has not been modified so exploitation attempt does not succeed.

From purely technical perspective, best remediation would be to fix the code, but in real world business situations updating source code is not easy due to many reasons:

  • Lack of resources
  • 3rd Party software
  • Outsourced Application Development

Virtual patching is done by OpSec team while code fix is done by developers.

Goals of virtual patching is to :

  • Minimize time-to-fix
  • Attack surface reduction

Virtual patching tools:

  • Intermediary devices i.e. WAF or IPS appliance
  • Web server plugin i.e. ModSecurity
  • Application layer filter i.e. ESAPI WAF

Virtual Patching Methodology

Consistent repeatable process provides best chance of success. Virtual patching workflow adopted in organizations has following phases :

  • Preparation Phase
    • Public/Vendor Vulnerability Monitoring
    • Virtual Patching pre-authorization
    • Deploy virtual patching tool in advance
    • Increase HTTP Audit Logging (Request URI, Full request header & body, Full response header & body)
  • Identification Phase
    • It occurs when organization becomes aware of vulnerability in application.
    • Proactive identification: By assessing web security posture through DAST and source code reviews
    • Reactive identification: Vendor contact, Public disclosure, Security incident
  • Analysis Phase
    • Determine virtual patching applicability
    • Utilize bug tracking system
    • Verify name of vulnerability
    • Designate impact level
    • Specify which versions of software are impacted
    • List what configuration is required to trigger the problem
    • List PoC exploit code or payloads used during attack
  • Virtual Patch Creation Phase
    • No flase positives : Do not block legitimate traffic ever
    • No false negatives : Do not miss attacks ever
    • Manual Virtual Patch Creation
      • Whitelist virtual patches (recommended solution) – specifies characteristics of valid input
      • Blacklist virtual patches – a set of rules to detect specific known attacks
    • Automated Virtual Patch creation
      • OWASP ModSecurity Core Rule Set (CRS) Scripts – to auto-convert XML output from tools such as OWASP ZAP into ModSecurity Virtual Patches
      • ThreadFix Virtual Patching – automated tools for converting imported vulnerability XML data into virtual patches for security tools such as ModSecurity.
      • Direct importing to WAF device –  import of DAST tool XML report data leads to automatically adjustment of protection profiles by WAF devices
  • Implementation/Testing
    • Using web clients, Local proxy servers, ModSecurity AuditViewer
    • Implement virtual patches first in “Log Only” config to ensure no false positives
  • Recovery/Follow Up
    • Periodic re-assessments
    • Update data to ticketing system

Source : OWASP Virtual Patching Cheat sheet


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s