Patching software is a critical line of defense against web application security threats.
Web applications and sites are where many important transactions happen in the digital age. End users purchase goods and services, access medical records, check their finances, and more. All of these tasks involve the transfer of sensitive (and potentially regulated) data, such as credit card numbers, health information, and banking records. That makes web applications and sites appealing targets for cybercriminals.
Like all software, web servers have vulnerabilities that cybercriminals are constantly looking to exploit. By not patching servers when fixes for these vulnerabilities are available, organizations are leaving themselves — plus their customers, partners, and other end users — open to the very real possibility of a data breach. In fact, attacks on web applications and sites are the number one cause of data breaches, according to Verizon.
Some third-party support providers such as Rimini Street promote an approach known as “virtual patching”, which doesn’t actually fix vulnerabilities by changing the software code. In fact, Rimini’s “virtual patching” doesn’t and can’t patch all of the source code, nor does it provide sufficient security at the source-code level. Instead, “virtual patching” generally relies on a web application firewall (WAF) to inspect incoming traffic before it reaches the application. A robust, cloud-based WAF can be an important component of any modern web application security strategy, but it is not a replacement for security patching. Failing to patch and update software at the source code level can cause performance and compatibility problems.
Oracle expressed virtual patching concerns in a June 2017 statement following Rimini Street’s announcement that it would resell a virtual patching product. With “virtual patching”, the vulnerabilities in the software remain, meaning that cybercriminals may find other ways to exploit those vulnerabilities. Organizations should work directly with software vendors that offer true security patching, proactive maintenance, and comprehensive support. Third-party providers simply can’t offer the depth and breadth of protection from software security vulnerabilities that today’s digital businesses demand. Oracle has provided comprehensive security and enterprise software support services to the world’s largest organizations for more than four decades.