Virtual Patching of Vulnerabilities at the Pace of Business

July 1, 2021

As the pace of digital change accelerates, you don’t want barriers in the way of your transformation strategy. Any delays need to be addressed at the speed of business to sustain a competitive advantage.

Fixing software bugs with code changes or system patches remains a critical security task that needs to be conducted rapidly and reliably, even though it takes significant time. Moreover, many organisations also lack DevSecOps expertise. This is especially the case with legacy applications. For example, it can be disastrous when a legacy application uses a web interface, a popular database back-end or a component whose source code is unavailable or difficult to modify.

It can take days, weeks, or months to find the root cause of the problem, issue a fix, test it, and launch it into production. During this time, sensitive data is exposed to potential attacks without protection.

Your goal must be the integration of frictionless security. Imagine instead a scenario whereby you can issue a fix in hours. The threat to your web application is closed almost immediately, so that development and infrastructure teams have enough time to fix vulnerabilities properly.

This is virtual patching in action.

Virtual patching is achieved by a dedicated rule or a set of rules deployed in a web application firewall (WAF) that diminishes a software vulnerability without changing the underlying codebase. A WAF filters, monitors, and blocks HTTP traffic to and from the web service. By inspecting traffic, it can prevent attacks exploiting a web application’s known vulnerabilities. Virtual patching is ideal when an urgent fix is required: this type of remediation implements a security policy enforcement layer, enabling your operations team to keep a system running until a complete fix passes design, development, testing, and approval.

Virtual Patching Partnership

Here at YesWeHack, we partnered with Rohde & Schwarz cybersecurity to deliver agile and effective virtual patching. Seamless integration between the Rohde & Schwarz WAF and the YesWeHack platform enables you to discover and protect against high-impact vulnerabilities quickly and efficiently, dramatically reducing your risk exposure. Where in the past it may have taken you days, weeks, or even months to remediate a vulnerability – now you can do it in hours.

The highly scalable solution can be deployed on-premises, in public clouds and hybrid / multi-cloud environments.

So how does it work?

Once a YesWeHack ethical hacker identifies a vulnerability, the report is evaluated, and you can request and receive a virtual patch at the click of a button. The process couldn’t be simpler:

1️⃣ You request a patch for the vulnerability directly from your vulnerability report interface, adding information and insight as necessary.

2️⃣ The request is acknowledged and examined. You can review the status of the virtual patch throughout the process.

3️⃣ When a fix is available, the bug bounty program manager integrates it and provides it for testing to the hunter who identified the initial vulnerability.

4️⃣ The hunter confirms the bug cannot be reproduced or bypassed. If it passes the test, you can immediately push forward with the DevSecOps pipeline.

5️⃣ Whatever the type of patch you deploy, all actions are logged. That sort of changelog is precious in highly compliant environments. No more tedious Excel sheets!

This innovative YesWeHack and Rohde & Schwarz cybersecurity integration enable rapid, virtual patching of application vulnerabilities. The WAF rapidly blocks the exploitation of a vulnerability, reducing the time-sensitive data is exposed to potential attacks to hours, not days.

It makes sense on every level. You receive a patch in a fraction of the time and cost of traditional methodologies. Patch requests, tests, and acceptance are tracked as they happen. You have complete visibility throughout the process. And, of course, your application portfolio remains secure and free of vulnerabilities.

To find out more, contact one of our Bug Bounty experts:

Contact us

About Rohde & Schwarz Cybersecurity:

Rohde & Schwarz Cybersecurity is a leading IT security company that protects digital information and business processes of companies and public institutions worldwide against cyberattacks. The IT security expert offers innovative data security solutions for cloud environments, advanced security for websites, web applications and web services, as well as network encryption and endpoint security. The trusted security solutions are developed using the security-by-design approach and proactively prevent cyberattacks. For more information, visit www.rohde-schwarz.com/cybersecurity.

About YesWeHack:

Founded in 2015, YesWeHack is a Global Bug Bounty & VDP Platform.
YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands cybersecurity experts (ethical hackers) across 170 countries with organizations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.

In addition to the Bug Bounty platform, YesWeHack also offers: support in creating a Vulnerability Disclosure Policy (VDP), a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU. For more information: www.yeswehack.com