Writing secure applications is hard, and often vulnerabilities are found after your application has already been released to production.
But what happens if you’re not able to fix the vulnerabilities quickly? If you don’t have the source code? Or if the vulnerable application is “Enterprise Software”, and you aren’t ever going to be able to fix it? Wouldn’t it be great if the someone else could secure your website for you?
In this talk we describe the approach we use to shield customer’s websites when all other avenues have failed, or when urgency requires a fix as soon as possible. This process of virtual patching works well in the real world, and allows people to have comfort that all their known vulnerabilities are fixed and their applications are as secure as can be.
This talk demonstrates the process of virtual patching using a suite of open source tooling that you can go back to your company and use straight away - tools like ModSecurity and node.js. Our approach is different to the typical approach of WAF vendors, and avoids false-positives by only patching exact, known vulnerabilities discovered in a penetration test, and so we avoid the risk of affecting legitimate users.
Kirk is a Security Researcher at RedShield, where he analyses security vulnerabilities in customer applications and comes up with a plan to protect them. He organises the Wellington OWASP Chapter, and helps organise NZ's biggest security defence conference OWASP NZ Day. Kirk has spoken at other NZ and Australian conferences, usually on the themes of developer security and defence.