Patchstack, formerly known as WebArx, allows digital agencies and web developers to monitor and protect websites from third-party code vulnerabilities. By operating their own Red Team, Patchstack tracks down vulnerabilities in popular plugins and patches them in real time to protect its users from over 1 Million monthly attacks, as Co-founder & CEO Oliver Sild explains.
Please describe the story behind Patchstack. What sparked the idea, and how has it evolved so far?
Before founding Patchstack, I was running a digital agency where I got acquainted with the problem that we are solving today. We were building websites using open-source content management systems like WordPress, Joomla, PrestaShop, and Magento, and were having a hard time keeping up to date with all the different plugins, themes, and widgets we were using on those websites.
So, we built an internal tool that would track down which of our customers have which versions of which software installed. Once we found a vulnerability somewhere, we’d make sure that none of the customers were affected by it.
Like many other amazing products, it all started with a spreadsheet. Fast forward from there, we realized that we’re not the only digital agency or web developer facing this issue. Eventually, we decided to focus on that internal tool and build it into a product. That’s how Patchstack was born and it’s been a pretty interesting journey ever since.
In the beginning, we provided our service directly to website owners. In most cases, they had some developer who built the website for them, and they didn’t have the technical know-how required to update their plugins. That was one of our earliest challenges and we set out to make everything as easy as possible for website owners.
Since then, we’ve shifted into a B2B model. We now provide technology services to developers and digital agencies, but we still keep that usability-first approach.
We recently rebranded as Patchstack and currently, it is used by over 40,000 developers all around the world and preventing up to 1 million attacks per month.
So how does Patchstack work?
Once you’ve signed up and added your websites, Patchstack will do all the configurations for you. Then, on your dashboard, you’ll be able to see how many code components or plugins were installed on your website, which ones are outdated or vulnerable, and whether you have any other security issues on your websites.
If vulnerabilities are found, Patchstack will automatically apply virtual patches to your website. You can imagine it as firewall rules made specifically for plugins vulnerabilities. It blocks the attack by patching the security issues in those plugins and filtering out any traffic that tries to exploit the website. This can help website owners to avoid malware infections, SEO damage, traffic diversion, and other damages that happen when you get hacked.
From thereon, reports are generated automatically to your email or Slack. Developers can share the reports with their clients via PDF to show them how they are keeping their website secure with Patchstack.
How do you source information about vulnerabilities?
The Patchstack Platform is interlinked with the Patchstack Database, a publicly free resource where you can find out about new vulnerabilities in WordPress core, themes, and plugins.
Whenever a vulnerability is reported, our software automatically patches it so that even if someone tries to exploit the affected websites, they will not succeed.
Behind the scenes, we have the Patchstack Red Team, which is the community of cybersecurity experts who find and report those vulnerabilities to the database. You can compare it to HackerOne or Bugcrowd, where hackers are finding vulnerabilities within software and if they find anything, the owner of the software pays them for fixing it. In our case, it’s Patchstack who is paying the researchers directly. It’s an ecosystem all interlinked together.
What are some of the dangers out there that WordPress users should beware of?
When we talk about cybersecurity products, a lot of people don’t want to get involved because it feels like something that they are obligated to solve. In many cases, people just ignore it until they get attacked.
According to an official WordPress report from 2018, 98% of the vulnerabilities in the WordPress ecosystem come from third-party plugins and themes. We focus on WordPress because it runs 40% of the web, but I think the problem is the same with any open-source platform whose functionality can be expanded with third-party plugins and themes.
The issue is that you might use a plugin on your website that is very popular and installed on millions of websites, but if a hacker finds just a single vulnerability within that plugin, then all those 1 million websites become exposed.
The plugins are not always built with very high-quality coding standards, so the vulnerabilities can be fairly easy to find. For hackers, it’s an easy way to get access to millions of websites, just by exploiting a single vulnerability. I think that’s the biggest threat to websites right now.
Which trends or technologies do you find particularly exciting these days around web security?
I’m mostly interested in what is happening in the open-source space, because of how popular it is. Generally, I think the security ecosystem could benefit a lot from community-driven approaches. The open-source ecosystem is a great example of an industry that is largely powered by its community. I think there should be a strong community of cybersecurity experts as there is for open source developers.
The other thing I’m excited about is the social engineering perspective of cybersecurity. What I often see is that it’s much easier to hack the people who are using the technology than the technology itself. So, I’m interested in technologies that are all around cybersecurity training and social engineering in general.
I think emails have been desperate to be fixed for at least 10 years now. Emails are still the biggest attack vector when it comes to business information being compromised. So everything around that vertical is interesting to me.
I think automation and AI are a bit overhyped. Even though they prove to be working in some spaces, they still have a long way to go.
I’m more interested in the human side of things because eventually, cyber threats are affecting humans. I try to understand how the human factor can be empowered to tackle those things. Since we can’t enable a firewall on psychology, we need to figure out something else. Making it easy and approachable to the average user in their language is the first step to be done.
Following that, I see gamification to be working really well. Some phishing services allow managers to credit employees for detecting malicious emails and stuff like that, helping to keep them interested and alert.
To conclude, I think the psychological factor, above all, is going to be a very interesting way to approach cybersecurity as well as all the other technologies we use.
Anything else you’d like to say to our readers?
I invite you to look into the Patchstack database to keep up with all the new WordPress vulnerabilities. This is a free public database that anyone can access without even signing in.
Security researchers who are interested in protecting websites and making a difference are invited to join the Patchstack Red Team. We are looking for bright-minded security pros who are interested in making the open-source ecosystem a little more secure.