Over a million developers have joined DZone.

Why Is It So Difficult to Patch Web Applications?

DZone's Guide to

Why Is It So Difficult to Patch Web Applications?

A security expert discusses how another Struts flaw and two major breach announcements are reminders of why we need to patch faster.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Just as I sat down to write this blog—one year after the Apache Foundation announced the now infamous "Struts 2" flaw CVE 2017-5638 —Apache announced a new Struts 2 flaw. Before the electrons had settled from that announcement, Under Armor revealed a cyber breach where hackers made off with the personal data of 150 million users of the MyFitnessPal fitness app.

Then, a few days later on Easter Sunday, the parent company of Saks Fifth Avenue and Lord & Taylor were outed by a security researcher who claimed more than five million (5M) debit and credit cards from the luxury retailers were for sale on the Dark Web. The attack was believed to have started in May 2017 and may still be underway.

No details about how the attacks against Under Armor or Saks/Lord & Taylor have surfaced yet, but it's a safe bet that a known, unpatched software flaw in a web app is involved somewhere.

In the first three months of 2018, the US National Vulnerability Database maintained by NIST has added nearly 3,500 new CVEs or about 40 new known software flaws per day. The total as of 2 April is 104,331 CVEs - more than 14,000 of which are critical or high severity rated vulnerabilities.

Verizon first identified "flaws known for at least one year" as the most common cause of successful cyberattacks in 2015 and that hasn't changed. It's no wonder that 83.5% of organizations surveyed by the CyberEdge Group in 17 countries and 19 industries said they have difficulty patching their web applications.

When asked, "what is preventing...patching systems more rapidly?" the number one answer was "infrequent windows to take production systems offline." A surprising 20% noted that "patching is a lower priority."

All of the responses are linked to the same root cause: Today, stretched-thin staff are required to find, fix, and physically patch flawed code.

Traditional and emerging AppSec heuristic approaches that use instrumentation and web filters can tell you where code flaws exist and detect attacks against them. What these solutions cannot do is address the core security threat by fixing the vulnerability.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,web application security ,patching

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}