"Reducing Organizational Risk Through Virtual Patching"
“Reducing Organizational Risk Through Virtual Patching”
by Joseph Faust / SANS
Virtual patching:
- there is an web app with known security problems
- you can’t / don’t want to touch the web app
- you apply measures in the input and / or output channels of the web app to mitigate the risks
- -> “packet manipulation and proxies via brokering the protocols to the application in question”
- tightly coupling of patching mechanisms and web app necessary
Example: mod_security
Architecture
- embedded: on the same web server -> no changes of web app, used only for the web app itself
- reverse proxy: can be used for several web apps, independent from OS etc. of the web app, single point of failure for several apps
See section 2.2.3 for a list of advantages and disadvantages and section 2.3 for an implementation example.
Mitigation Examples
- SQL injection
- password bruteforcing
- HTTPOnly flag for cookies