Virtual Patching

The term virtual patching was coined by intrusion prevention system (IPS) vendors a number of years ago. It is not a web-application-specific term; it may be applied to other protocols. However, currently it is more generally used as a term for web application firewalls (WAFs). It has been known by many different names, including external patching and just-in-time patching. Whatever term you choose to use is irrelevant. What is important is that you understand exactly what a virtual patch is. Therefore, I present the following definition:

Virtual patching is a security policy enforcement layer that prevents the exploitation of a known vulnerability.

The virtual patch works because the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The result is that the application’s source code is not modified, and the exploitation attempt does not succeed.

It is important to understand exactly what protection virtual patching provides. Its aim is to reduce the exposed attack surface of the vulnerability. Depending on the vulnerability type, it may or may not be possible to completely remediate the flaw. For other, more complicated flaws, the best that can be done with a virtual patch is to identify if or when someone attempts to exploit the flaw. The main advantage of using virtual patching is the speed of risk reduction.

Keep in mind that source code fixes and the virtual patch process ...