External patching, also known as "just-in-time patching" or "virtual patching" is a limited protection method that has importance due to the common software lifecycle management process in organizations. The later a vulnerability is found in the development and deployment process the price of fixing it gets higher as it disrupts the development process and delays deployment. If the vulnerability is found after an application is deployed the problem is bigger as taking the application off line may be impossible, forcing the organization to leave the application operative and incur the risk.

A WAF can be used to provide protection from a specific vulnerability without modifying the application. To do that, a rule is created and implemented in the WAF that provides additional validation to the specific field vulnerable.

For example, if the user name field in an application is vulnerable to SQL injection [[i]] attack, and the usernames are alphanumeric in the specific application, the following rule, in ModSecurity rules language, would provide an external patch:

<LocationMatch "^/login.php$">

SecRule ARGS:username "!^\w+$" "deny,log"

</LocationMatch>

[i].    SQL Injection Attacks by Example, Steve Friedl, Jan 13^th 2005, http://www.unixwiz.net/techtips/sql-injection.html