How will you handle a security problem that is reported to you, will you wait for the fix (internal or external) or do you want to immediately protect yourself from the issue? What if you know there is a zero-day exploit out there? What if it takes a couple of days to fix a security problem?
To be able to respond to security issues add an extra layer in front of your web application. This means that your web application does not accept direct connections. It does not accept machine to machine connections, it accepts process to process connections. By installing an additional layer you
can filter the requests that come in and prevent them from reaching your application directly. You have the possibility to protect yourself against a known vulnerability while the problem itself is not patched yet. You can do this by installing a virtual patch. In short, you install an active filter that blocks known vulnerabilities until a permanent solution is available.
Pay attention when you are using virtual patches:
- There is a risk that you are addressing some parts of the vulnerability but not all of them.
- There is a risk that you forgot to implement the virtual patch on all the places that needed it.
- The company loses the incentive to update to the permanent solution, thinking it is safe. It is possible that the vulnerability gets wider while it is in the open, for example by combining multiple exploits/vulnerabilities.
- A virtual patch is a temporary solution, make sure there is a protocol in place to follow up when a permanent solution is in place. There is a chance that it might be forgotten.