Protecting modern open-source web applications

The modern way of creating websites relies on using open-source code and plugins that are used as “pre-existing building blocks”. This has made building websites much faster and cheaper. It is the reason why this approach is now being used for creating everything from small personal blogs to large media outlets and web pages of Fortune 500 companies. However, using open-source code introduces a major risk as the security of the website can be compromised. With parts of code originating from a wide variety of different sources, it is very complicated to check all this content and make sure the sites cannot be penetrated by hackers. To solve this problem, we have created a novel solution that combines the independent security researchers’ with our automated virtual patching technology. This way we know about the security vulnerabilities first and can provide the most effective protection against open-source code vulnerabilities. Thus making the web safer for everybody.

During the first project period, we’ve built an internal code repository of all publicly available WordPress core, plugin and theme versions (with all the historic versions), we have created a connector that connects to Patchstack App that is capable of retrieving information about installed software and sending this to Patchstack App for vulnerability analysis. As we have worked on the internal code repository, we’ve also begun activities to automate the extraction of data from the respected repositories (WordPress, WooCommerce and Drupal). We have worked on automating the vulnerability discovery process and have prepared the new vulnerability scoring system which is essential for the virtual patching automation and development. For the virtual patches, we have made significant progress with the new virtual patching engine that has made it significantly easier to generate virtual patching rules. We have also made significant progress with our crowdsourcing platform and have already integrated portions of it with our existing platform and with our vulnerability database.

Patchstack vulnerability database has become more rich in data and as a result of this, many web hosting providers already see Patchstack as the leader in our space. We’ve been invited to give security talks in large conferences such as CloudFest and WordCamp Europe.