Why is it so difficult to patch web applications?

Just as I sat down to write this blog – one year after the Apache Foundation announced the now infamous “Struts 2” flaw CVE 2017-5638 – Apache announced a new Struts 2 flaw.  Before the electrons had settled from that announcement, Under Armor revealed a cyber breach where hackers made off with the personal data of 150M users of the MyFitnessPal fitness app.

Then, a few days later on Easter Sunday, the parent company of Saks Fifth Avenue and Lord & Taylor were outed by a security researcher who claimed more than five million (5M) debit and credit cards from the luxury retailers were for sale on the Dark Web.  The attack was believed to have started in May 2017 and may still be underway.

No details about how the attacks against Under Armor or Saks/Lord & Taylor attacks have surfaced yet, but it’s a safe bet that a known, unpatched software flaw in a web app is involved somewhere.

In the first three months of 2018, the US National Vulnerability Database maintained by NIST has added nearly 3,500 new CVEs, or about 40 new known software flaws per day. The total as of 2 April is 104,331 CVEs – more than 14,000 of which are critical or high severity rated vulnerabilities.

Verizon first identified “flaws known for at least one year” as the most common cause of successful cyberattacks in 2015 and that hasn’t changed.  It’s no wonder that 83.5% of organizations surveyed by the CyberEdge Group in 17 countries and 19 industries said they have difficulty patching their web applications.

When asked “what is preventing…patching systems more rapidly?,” the number one answer was “infrequent windows to take production systems offline.”  A surprising 20% noted that “patching is a lower priority.”

All of the responses are linked to the same root cause: Today, stretched-thin staff are required to find, fix and physically patch flawed code.

Traditional and emerging AppSec heuristic approaches that use instrumentation and web filters can tell you where code flaws exist and detect attacks against them. What these solutions cannot do is address the core security threat by fixing the vulnerability.

Waratek’s compilation-based, deterministic approach can. Waratek’s functional equivalent virtual patches can be applied while an application runs – eliminating the need to rewrite source code, take downtime to patch applications, or tune application security tools. And Waratek’s virtual patches will not break your app, another fear that often delays or prevents patching.

Waratek’s application security platform is used by global banks, payment processors, health care providers, and telecom companies to virtually patch known vulnerabilities, secure .NET and Java-based applications against the OWASP Top Ten and SANS 25 attacks, and virtually upgrade out of support Java applications – all without source code changes, routine downtime, false positives or unacceptable performance impacts.

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.