In a perfect world, every time your security team discovered a vulnerability in your web application, you’d be able to patch it up and remove the possibility of exploitation that same day. Unfortunately, we all know that’s usually not how it works. At best, most vulnerabilities take about a week to patch, with many more taking multiple weeks or even months—time during which a hacker could potentially exploit the vulnerability to gain sensitive information or even take down your whole system.
This might seem like the kind of problem that could be solved by throwing more money and person-power at it, but most of the time it’s just not that simple. The vast majority of businesses already think of cyber security as mission critical, but the number of potential vulnerabilities they have to contend with grows by the day, and large scale events like the coronavirus pandemic the end of Windows 7 support (which has caused a mass migration to Windows 10 that can leave slower companies vulnerable) only exacerbate the problem. Beyond that, some vulnerabilities simply don’t have straightforward fixes, and are thus doomed to languish un-dealt-with.
All of this puts businesses at risk, but it’s often not clear what alternatives exist. In short, something’s gotta give.
The Remediation Gap
The lag time between finding a vulnerability and patching it that we referred to above is what’s known as the “remediation gap,” and it’s a growing issue for companies of all shapes and sizes. Right now, the method that most companies use for fixing vulnerabilities involves rewriting the application’s source code, which isn't just time consuming, it’s deeply uncertain. A bug that looks like it could take time to resolve might actually require a fairly easy fix—while a vulnerability that seems simple might actually be incredibly time consuming to close up, whether that’s because it’s rooted in business logic that can’t be altered easily or because the code as originally written is particularly ill-suited to refactoring.
All of these factors contribute to a situation in which companies remain vulnerable to attacks that they already know about—potentially for months. Sure, there are monitoring and mitigation tactics you can use to reduce the likelihood that someone actually exploits those known vulnerabilities before they’re patched (more on that below), but the fact remains that for most security flaws you remain a sitting duck.
Why Some Vulns Don’t Get Fixed
We said above that throwing more money or person-power at the remediation gap wouldn’t be enough to remedy the situation—but why exactly is that the case? There a couple of potential reasons:
- Some vulnerabilities are the result of widespread bugs that go well beyond the boundaries of your own systems. Heartbleed, for instance, is a weakness in OpenSSL that enables hackers to gain access to secret cryptographic keys, thereby letting them access information that would otherwise be protected by the encryption. If your system relies on OpenSSL (or interacts with other systems that do), you can try to write a patch on your end, but it virtually impossible to completely eliminate this attack surface.
- By the same token, some vulnerabilities come about because of interactions between your app and systems that may be owned by your vendors or partners. The interaction might result in a business logic flaw or something more serious, but regardless of the bug, you and the vendor might not agree on the right way to get things patched up. If this happens, there might simply be nothing that you can do to fix the situation effectively.
- Some vulnerabilities might also require significant downtime to address properly—downtime that the C-suite might be loath to authorize if they can’t be convinced the vulnerability is really critical. After all, if you stake your reputation or your users’ happiness on 99.9% up-time for a particular service, conditions would have to pretty dire before you’d risk that on a security matter that didn’t seem catastrophic. And yet, sometimes it’s a practical necessity for securing your endpoints.
- Other application security issues may be the result of legacy applications that your company either can’t upgrade or isn’t ready to upgrade. Windows 7 is a prime example of this—any number of businesses aren’t yet ready to migrate to Windows 10, but with the support window for 7 closing, new security risks will crop up every day.
All of these potential reasons are on top of the fact that you sometimes simply don’t have the capacity to address every vulnerability that crops up. Sure, infinite funds would be nice in this scenario, but staffing shortages in development and security are still a problem for the largest tech companies, suggesting that for right now there’s not too much that can be done to directly address the remediation gap.
Strategies for Mitigating Risk
Okay, but what about addressing that gap indirectly? I.e. what can businesses do to mitigate the risks they face as a result of this widening gulf between known and fixed vulnerabilities? For starters, there’s monitoring: since you know where the attack surfaces are, you can keep a close eye on them to make sure no malicious behavior is taking place. There’s also the (sometimes more drastic) option of replacing the component that has the vulnerability with one that doesn’t have the same flaw, e.g. ditching OpenSSL for an encryption standard that doesn’t put your data at risk. This can be effective, but it can also be time consuming. Then, there’s finding other ways to cover flaws, like using WAFs (web application firewalls). These can be a real help in terms of preventing malicious behavior at endpoints—but they’re often too difficult to configure and maintain to be truly practicable solutions.
Another potential mitigation tool is application shielding. What’s application shielding? We’re glad you asked…
How Can Application Shielding Help?
In the last few years, application shielding technology has become a real alternative to some of the other mitigation strategies we listed out above. How does it work? Essentially, application shielding software enables you to obfuscate your code at the user/session level, such that attackers can’t exploit any of the vulnerabilities that might still be unresolved. Not only can they not exploit them, they can’t even necessarily find them—even if they are known, documented flaws. Like WAFs, these will typically use an interception proxy to create rules for HTTPS traffic as it comes in—meaning that without touching a single line of code you’ve managed to effectively secure your digital perimeter from all known attacks.
This isn’t necessarily a complete replacement for code remediation, but anything that effectively covers your digital perimeter during the remediation process would take the time pressure off of the current remediation process. And, for bugs that actually can’t be fixed, this kind of process can be an elegant solution—the vulnerabilities still technically exist, but the shielding technology makes it difficult or impossible for hackers to actually exploit or even find those vulnerabilities. Now, instead of scrambling to devote time and resources to fixing every security flaw that comes across the help desk, you can prioritize the most impactful ones and work through them at a pace that aligns with your other operational goals.
According to WhiteHat Security, web applications are the largest attack surfaces that most companies have to secure—and the biggest source of costly data breaches. Considering that most web applications have at least a dozen vulnerabilities, application shielding is an important part not just of bridging the remediation gap, but of practicing strong cyber security more broadly.
How to Implement Application Shielding to Reduce Your Attack Surface
Now, let’s not get ahead of ourselves. Application shielding on its own isn’t necessarily a panacea. For optimal results, it’s best to pair the shielding technology with a managed service that helps you customize the shielding solution to your precise needs and monitor your perimeter as needed. Like we said above, WAFs tend to be complicated from a configuration and maintenance perspective: shielding technology, by contrast, can function as a turnkey cyber security solution when it’s paired with managed cyber security services.
With AI-powered workflows built on machine learning algorithms, this combination of managed services and shielding technology can radically reduce the high number of false positives often associated with WAFs, without any reduction in coverage. Not only can this help out businesses who are struggling to close common vulnerabilities like cross-site scripting and sequel injection, it can also help you to gain a deeper understanding of the unique threat model of your particular site or app—meaning that you can more effectively defend against hackers and other attackers. Where a software license for this kind of technology might provide some of these benefits right off the bat, the ability to leverage cyber security experts as part of the package puts you in a position to devote your own IT resources to more impactful and value-additive projects.
Thus, rather than earmarking valuable resources for managing a firewall or scrambling to fix unfixable bugs, you can leverage your people as you see fit. Gone are the risks that come with the remediation gap—along with the risk of having to delay a software release because vulnerabilities still need to be patched, or the risk of your legacy applications becoming huge security liabilities.
Learn More About Intertec’s Managed Cyber Security Services
Intertec provides cutting-edge managed cyber security services based on sophisticated application shielding technology—helping global businesses to cut down on code remediation costs while preventing data breaches. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!