Software vulnerabilities are bad news. They can affect organizations in all sorts of negative ways, financial and otherwise. Common vulnerabilities and exposures (CVE) may put at risk personally identifiable information (PII) belonging to users, allow hackers to illegally access networks and systems, and far more. In doing so they can cost time, money, and customer loyalty. The results can be devastating.
For example, the 2017 Equifax data breach resulted in hundreds of millions of customer records from the Equifax credit reporting agency being compromised by hackers exploiting a vulnerability. This widely known vulnerability should have been patched earlier, but wasn’t as a result of internal process failures on the part of Equifax. Hackers gained access to the company’s systems using its consumer complaint web portal, and were then able to move to other company servers due to lack of proper security measures. Along the way, they discovered plain text usernames and passwords, allowing them to gain access to even more systems.
Data pulled from the network went undetected for a period of several months as a result of Equifax not renewing the encryption certificate on one internal security tool. The end result was financial losses in the hundred of millions of dollars.
Far From An Isolated Example
An extreme illustration? Maybe. But it’s far from an isolated one — and serves to demonstrate just how devastating software vulnerabilities can be when left unchecked. The number of such vulnerabilities discovered each year is growing. For a long time, the number of vulnerabilities reported in the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, remained stable.
However, in recent years the number of discovered vulnerabilities has increased. In 2017, the number of vulnerabilities skyrocketed from 6,447 the previous year to 14,714: an increase of more than 100%. While the two subsequent years haven’t shown such a monumental increase, it’s nonetheless clear that software vulnerabilities pose a significant problem — with thousands of new vulnerabilities discovered each year.
This enormous number of vulnerabilities understandably makes it tough for organizations to keep up when making sure that their systems are properly secured. The problem is exacerbated by indirect dependencies, which contain around 75% of all vulnerabilities. That’s significantly more than the number of vulnerabilities to be found in direct dependencies and first-hand loaded components. Indirect dependencies refer to dependencies (a software term for when one piece of software relies on another) that are included in libraries used by your apps. For this reason, they can sometimes be overlooked as a source of potential vulnerabilities.
A Major Headache For Organizations
The problem may seem insurmountable for organizations. Just one single vulnerable endpoint — whether it’s part of an application, a server, or a network — can be sufficient to put huge numbers of users and amounts of sensitive data at risk. At the same time, organizations can be slow to update systems, either due to the potential downtime of crucial services while servers are offline or, in other cases, sign-offs about upgrading systems that have been developed in-house.
Even if an organization takes just a few weeks to respond to a potential security flaw, that’s ample time for a possible cyber attack to take place. Added to this is the challenge of zero-day exploits, in which cyber attackers use a publicly disclosed or undisclosed vulnerability before it is officially acknowledged by a vendor. These attacks are on the rise and mean that simply being a conscientious, fast-moving organization that ensures its security certificates and patches are kept up to date isn’t necessarily enough to defend against an attack.
Help Is At Hand — Thanks To Virtual Patching
Virtual patching can help. A virtual patch refers to a series of rules intended to mitigate a specific software vulnerability, but without having to change the vulnerable code. This is crucial in the case of many modern systems that rely on third-party components which, as noted, bring their own challenges when it comes to vulnerabilities.
Instead of having to wait for a third-party plugin developer to push a fix to a vulnerability, virtual patching can be shipped to a website automatically to rapidly address a security vulnerability faster than an official patch may be available.
Despite its name, virtual patching doesn’t physically patch the vulnerability by fixing it on the level of code. But what it does is to add a shielding layer of security that seeks out and stops potential attacks that seek to exploit vulnerabilities. That means blocking bad actors and requests, analyzing patterns in web traffic, and more. A good Web Application Firewall (WAF) will block attempts to exploit known common vulnerabilities and exposures, even when that underlying vulnerability has yet to be fixed. They’ll also use generic rules and behavior analysis to spot potential exploit attacks from new threat vectors.
Virtual patching is a scalable solution that’s faster than waiting for developers to patch every known vulnerability (which, in the event that a certain app is no longer supported by a vendor, may never be fixed.) It also reduces the risk of accidentally introducing another conflict into a system since libraries and code files are not altered. Finally, it is a lifesaver for organizations that rely on critical systems they simply can’t afford to take offline.
It’s a no-brainer for any organization that doesn’t want to be caught out by a security vulnerability.