Periodic Reporting for period 2 - PROWEB (Protecting modern open-source web applications)
Periodo di rendicontazione: 2023-06-01 al 2024-11-30
The modern way of creating websites relies on using open-source code and plugins that are used as “pre-existing building blocks”. This has made building websites much faster and cheaper. It is the reason why this approach is now being used for creating everything from small personal blogs to large media outlets and web pages of Fortune 500 companies. However, using open-source code introduces a major risk as the security of the website can be compromised. With parts of code originating from a wide variety of different sources, it is very complicated to check all this code and make sure the sites cannot be penetrated by hackers. To solve this problem, we have created a novel solution that combines the independent security researchers’ with our automated virtual patching technology. This way we know about the security vulnerabilities first and can provide the most effective protection against open-source code vulnerabilities. Thus, making the web safer for everybody.
During the project period, we’ve built an internal code repository of all publicly available WordPress, WooCommerce, Drupal and Joomla core, plugin and theme versions (with all the historic versions), we have created connectors that connects the applications to Patchstack App that is then capable of retrieving information about installed software and sending this to Patchstack for software composition and vulnerability analysis.
We have created a semi-automated process to identify and process new security vulnerabilities in software components with code repository analysis and with our crowdsourced vulnerability intelligence platform. Our vulnerability intelligence automation has made Patchstack one of the largest software security vulnerability processors in the world with the highest number of CVE’s assigned in both 2023 and 2024 (source: https://cve.icu/CVE2023.html(si apre in una nuova finestra)). For example, 4566 new unique security vulnerabilities have been reported and fixed through our system in 2024 alone.
Another significant achievement has been the completion of our new novel virtual patching engine which allows us to generate vulnerability specific protection rules significantly faster thanks to the use of pre-made templates and simplified syntax. The new system allows us to automatically deploy vulnerability specific protection (auto-mitigation) rules to applications and precisely target the existing security vulnerabilities present. This has significantly speed up the mitigation efforts to eliminate security vulnerabilities to block any hacking attempts. The new engine allows to dynamically load and off-load virtual patches based on which vulnerabilities are present – making it less demanding for server performance and because only the protection rules that are really needed get loaded – the false positive rates are near zero. As of writing this post, we have created a collection of 9566 unique virtual patches which is the largest collection of vulnerability specific protection rules in the world.
Everything above has been seamlessly connected into our SaaS platform which we’ve been testing with beta testers and turned into a developer tool which is both easy to use and flexible enough to be easily accessible to anyone building or managing websites built with content management systems such as WordPress, WooCommerce, Drupal and Joomla.
The significant data generated from vulnerability intelligence automation and from our collection of virtual patches has also created a unique opportunity to shift our SAST vulnerability scanner into an “AI security researcher” which we’ve made significant progress with and have already been able to identify first real-world vulnerabilities in a fully automated manner.
We have created a semi-automated process to identify and process new security vulnerabilities in software components with code repository analysis and with our crowdsourced vulnerability intelligence platform. Our vulnerability intelligence automation has made Patchstack one of the largest software security vulnerability processors in the world with the highest number of CVE’s assigned in both 2023 and 2024 (source: https://cve.icu/CVE2023.html(si apre in una nuova finestra)). For example, 4566 new unique security vulnerabilities have been reported and fixed through our system in 2024 alone.
Another significant achievement has been the completion of our new novel virtual patching engine which allows us to generate vulnerability specific protection rules significantly faster thanks to the use of pre-made templates and simplified syntax. The new system allows us to automatically deploy vulnerability specific protection (auto-mitigation) rules to applications and precisely target the existing security vulnerabilities present. This has significantly speed up the mitigation efforts to eliminate security vulnerabilities to block any hacking attempts. The new engine allows to dynamically load and off-load virtual patches based on which vulnerabilities are present – making it less demanding for server performance and because only the protection rules that are really needed get loaded – the false positive rates are near zero. As of writing this post, we have created a collection of 9566 unique virtual patches which is the largest collection of vulnerability specific protection rules in the world.
Everything above has been seamlessly connected into our SaaS platform which we’ve been testing with beta testers and turned into a developer tool which is both easy to use and flexible enough to be easily accessible to anyone building or managing websites built with content management systems such as WordPress, WooCommerce, Drupal and Joomla.
The significant data generated from vulnerability intelligence automation and from our collection of virtual patches has also created a unique opportunity to shift our SAST vulnerability scanner into an “AI security researcher” which we’ve made significant progress with and have already been able to identify first real-world vulnerabilities in a fully automated manner.
Patchstack has become the official CVE naming authority to assign industry standard CVE (common vulnerabilities and exposures) identification numbers to software security vulnerabilities. In 2023 and 2024, Patchstack was the largest CVE assigner by volume, which by its own shows the success of the entire project. Patchstack is considered the market leader in WordPress security intelligence and many of the largest hosting companies in the world such as GoDaddy, WPengine, Digital Ocean and others have reach out to us to explore potential partnerships.
We’ve been invited as partner and speaker to the largest WordPress conferences such as WordCamp EU, WordCamp US and other open-source ecosystem conferences such as OSdays, Fosdem, Cloudfest and many others.
In July 2024, Google took an interest in Patchstack and invited us to their exclusive Cybersecurity & AI startup program. This got us access to a whole network of Google engineers, their cloud resources and was a significant accelerator to our AI SAST project development.
In the end of 2024, we also opened our vulnerability intelligence automation platform for open-source vendors to help them become compliant with the new EU Cyber Resilience Act. This has become very successful and over 600 open-source developers have already set up their vulnerability disclosure programs with Patchstack.
We’ve been invited as partner and speaker to the largest WordPress conferences such as WordCamp EU, WordCamp US and other open-source ecosystem conferences such as OSdays, Fosdem, Cloudfest and many others.
In July 2024, Google took an interest in Patchstack and invited us to their exclusive Cybersecurity & AI startup program. This got us access to a whole network of Google engineers, their cloud resources and was a significant accelerator to our AI SAST project development.
In the end of 2024, we also opened our vulnerability intelligence automation platform for open-source vendors to help them become compliant with the new EU Cyber Resilience Act. This has become very successful and over 600 open-source developers have already set up their vulnerability disclosure programs with Patchstack.