The fact that software contains vulnerabilities should not come as a surprise. Human beings write software, and humans make mistakes. As a result, the software contains errors that might be exploitable by an attacker. While some organizations are working to adopt DevSecOps programs to reduce the number of vulnerabilities that reach production code, not all organizations are doing so, and even the best DevSecOps program can miss some vulnerabilities. As a result, web applications (and other software) contain vulnerabilities that can put its users at risk.
Once a vulnerability has been detected, an organization has a few options for dealing with it. One possibility is attempting to patch all vulnerabilities within an organization’s environment. Another is deploying a web application firewall (WAF) or a runtime application self-protection (RASP) solution to perform “virtual patching.” Taking one of these two approaches is essential as the majority of data breaches are caused by a failure to patch vulnerabilities in production.
Vulnerability Management is Challenging
Vulnerability management is a fact of life for many organizations. In recent years, over 22,000 new vulnerabilities have been discovered annually. While this is already a high number, it does not include all of the vulnerabilities discovered previously (that may still exist in an organization’s systems) or vulnerabilities that remain undiscovered or undisclosed.
Attempting to patch every vulnerability within an organization’s network environment can present a significant challenge for a business. To remediate a vulnerability through patching, an organization must learn that the vulnerability exists, acquire and test the vendor-provided patch, apply the patch to all affected systems, and test to determine if the patch was applied successfully. This process, if it goes perfectly, can require significant resources from an organization. For a large organization, the cost of lost productivity alone associated with patching a vulnerability could be in the hundreds of thousands of dollars. Additionally, this estimate does not include the time and effort of the security team during the patch acquisition, testing, application, and verification processes.
The sheer number of vulnerabilities that an organization must apply can easily overload an organization’s IT and security teams. It can lead to delays in patching, which can leave an organization open to attack. It is not uncommon for cybercriminals to target vulnerabilities for which patches have recently been made available. A released patch provides a hacker with hints regarding the vulnerability that it was designed to correct, making it easier to develop an exploit. In many cases, organizations that manage vulnerabilities primarily through patching are in a race against cybercriminals (and losing it).
Missed Patches Lead to Data Breaches
Despite the high cost associated with patching a vulnerability, the costs of failing to manage vulnerabilities properly can be even higher. According to a recent study, up to 60% of data breaches can be linked to a failure to remediate a vulnerability for which a patch existed and was publicly available.
The costs associated with a data breach can be extremely high. On average, the price tag of a data breach comes in the millions of dollars as organizations are forced to perform expensive investigations, notify affected parties, and pay lawyers’ fees, settlements, and regulatory penalties. However, this only covers the easily quantifiable costs of a breach. After a major incident, an organization’s reputation and brand image is damaged, which often requires additional effort to repair. Loss of image can also cause a drop in customer loyalty and sales, meaning that the true cost of a breach can be much higher than the immediate cost of remediation.
With the majority of data breaches linked to a failure to remediate vulnerabilities in deployed code, vulnerability management should be a priority for all organizations and carries a high price tag for failure. However, the cost and effort associated with remediating vulnerabilities mean that many organizations struggle to keep up.
Achieving Scalable Vulnerability Management
Organizations are faced with an absurd number of vulnerabilities that must be remediated to protect against cyberattacks. While an organization may only be affected by a fraction of the 60 new vulnerabilities disclosed each day (on average), addressing even a few per day through patching can impose a significant burden on a security team and draw attention away from the job of protecting the organization against attack.
While applying updates and patching vulnerabilities is a good idea; it is not the only (or even the best) method of protecting applications against exploitation. Cybersecurity solutions like a web application firewall or runtime application self-protection are capable of performing “virtual patching” to protect a vulnerable application against attack.
Virtual patching does not require an organization to apply patches to close vulnerabilities in an application. Instead, the WAF or RASP solution sits between the application and a potential attacker. With knowledge of common vulnerabilities, a WAF or RASP solution can block attempts to exploit known vulnerabilities, making the application as secure as if the appropriate patch was installed.
Remediating vulnerabilities through patching is unscalable and unsustainable, and the potential impacts of missing even a single patch (or applying it too late) are significant, as demonstrated by the fact that most data breaches involve a missing patch. WAF and RASP solutions provide a much more scalable solution to the vulnerability management problem since they only require a list of the latest vulnerabilities to virtually “patch” applications rather than a complex patch management process.