Episode 220: Talking About Patchstack
Show Summary
In this podcast, Rob Cairns sits down with Oliver Sild and talks about patchstack.
Show Highlights:
- Why Patchstack was founded.
- What makes Patchstack different from other security firms.
- What Patchstack does for the WordPress Community.
Show Notes
Hey everybody, Rob Cairns here today I’m here with Oliver Sild, the founder of Patchstack.
How are you today, Oliver?
Doing great, how are you?
Not too bad and thanks for joining me all the way from Estonia.
How’s the weather there at this time of year?
Actually it’s getting.
Warmer now it’s nice because you know the sun is getting on your face.
You can kind of feel the warmth and.
Then you go.
Outside and still like minus 5 degrees, but.
It is, it is.
Getting warmer and warmer every day, actually.
Yeah, that’s a good thing.
So before we.
Jump into this story up at stack a little bit.
What’s your WordPress origin story?
How did you get into WordPress and that whole room?
Yeah, I think it kind of goes back to around 2013 or something like that. I was I I was running an agency together with friend we we mainly built sites on Joomla back then.
And then yeah.
Kind of naturally you started to see more and more demand on WordPress like people didn’t.
I I mean.
We used to use Joomla.
Stack and then at one point we rely.
Just like customers came to us specifically asking for WordPress, so we kind of started shifting from Joomla to WordPress from there.
And yeah, like for for for a few years we basically have focused on, you know, building websites on WordPress on WooCommerce and actually already back.
Then, like our agency’s kind of focus, was providing like secure web development. So we wanted to have already some level of like security built into what we deliver, so there wouldn’t be like an issue where.
I don’t know two years after the site has been developed, it’s kind of abandoned by someone and doesn’t get any maintenance and stuff like that, so we always kind of this was our kind of.
Promise as a company when we did web development so this kind of always went on.
Top of that.
Yeah, and I I think you hit it on the head.
You said secure web development.
I think part of the problem is in the word press space.
There’s a lot of good developers and designers, but they focus on development and design.
They actually focus on the security side and before we went to record, I was telling you that.
A big part of my business is actually security care plans, so I’m kind of in.
That spot where Ioffer security care plans because I think a lot of designers and developers don’t think them.
True, very true.
So that’s a a bit of a concern, so.
What is the story like?
How did the patch sack idea come about and when did you find that?
So it it it goes really back to.
The same area that.
Or at the same time when we did the the when we did the agency or web development work the the thing was that back then we kind of realized quite soon enough that the main kind of or like one of the main problems was to like how do I?
How do I keep track?
Of like all the plugins and themes and whatever is being used on the.
Website the versions.
You know all that stuff like one thing is to kind of keep track of that for for one website, but the other thing is like how do I keep it keep track of it for all the customers that.
We have
So we kind of.
Built like an internal tool actually.
To be to do.
That so we kind of have like a.
Very simple internal.
Tool that was kind of managing or like.
Checking if, like the new version of plugging came out for specific.
Yeah yeah, yeah.
If a new update was for specific plugging, we kind of had like internal backlog of like we built that website.
I mean this was updated then and then that uses these kind of versions, you know so forth.
And and this was.
Just basically like an internal tool and.
We kind of thought that this is our like.
Uh is like our competitive advantage in terms of provide providing web development work and providing sick like website development in general because we do it in a more secure way and we actually take more care of those websites and so on.
And then in around 2015 or.
So we realized that OK, yeah, but
We’re not the only agencies.
Who’s dealing with that?
Like we’re not the only web development company who probably thinks that to them, like managing security for all those customers, is a is a rebellion das and what they really eventually do is that they just drop the customers.
I mean what they’ve done previously is that they.
Get the new customer complete to complete the you know website development project and then basically say that you know good luck.
So we knew that the problem was there, so in 2015 we actually went to a uh, like a we we applied with the idea to kind of productize the internal tool and then we came up with something called web arcs and we went into a.
There was like.
A business development kind of program in Czech Republic back then.
So I actually took a bus from Estonia.
Uh, from my town to Brno, which is in Czech Republic, and I think it took me like.
Three days of bus drive to get there.
And then yeah.
We basically run on like.
Three months like intensive kind of business development, kind of.
Like a program or like an like a kind of business accelerator or something like our incubator or something like that.
And then yeah, we managed to get like three third place there, which was we were quite impressed.
Then got back to Estonia and then yeah we decided to basically drop the whole agency thing and completely focus on.
Back then, what was called Web works as the kind of panel for for developers with for web developers who build websites to kind of manage the security of their website from a single kind of place.
That that is a really interesting story and.
And Congrats on on where you’ve been.
One of the things you mentioned was a lot agencies get into updating websites and then they just kind of drop it.
And I think the reason for that is I still think from a selling standpoint, as somebody who’s got over 100 clients in that space.
It’s a hard sell sometimes because companies.
So if you’re selling to a client, they like to see design, they like to see changes, but.
Things that are under the hood.
They don’t that are out of sight, out of mind.
They don’t always see, and web agencies seem to not.
Many of them do a good job of communicating to their care plan clients on a regular basis and you kind of gotta.
From a marketing standpoint, remind them of what you’re doing for them out of sight, out of mind is not a good way to retain clients.
It’s the same problem in the insurance world like people buy insurance, they never use it and they say why am I paying 100 bucks a month and the minute they drop it. We all know what happened. Something goes wrong, they smash up to car.
And then there.
Out thousands of dollars I.
Mean this is.
You’re touching a point that explains the situation of WordPress security.
When we look at like where?
Like, uh, pretty much most of the revenue has been made in WordPress ecosystem that is related to security.
It’s always being malware removal services for years like it’s always been.
That and.
The problem with that is.
If the if all the money is.
There then.
Who actually?
Who is then going to, you know?
Take the leap of faith and start working on actually solving the problem that they are fixing in the you know.
1st place I mean.
You will keep.
Removing malware as long as you don’t have the root problem solved, which is the vulnerabilities on your website and so forth.
So now if all the money is there and if it’s so hard sell for the users in terms of you know you should prevent not remediate.
And then, yeah, you’re going to stick your gonna be stick in a situation where basically all the tools on the market.
Everything is basically driven in terms of, you know, scanning your website from malware.
Get rid of malware fast.
You know that kind of angle, which actually isn’t.
Solving the problem at all.
It’s like literally not solving the problem.
It is just a remediation for when the things already went bad and this is.
Kind of maybe kind of getting ahead of that, but yeah, this is literally what we realized at one point and we decided to completely not even touch that side of the business.
And completely just focus on the very core issues with Patch deck.
I I would agree with you and the other thing to throw into this mix and I don’t really want to turn this conversation to a high level security conversation.
Yeah, yeah.
It’s worth mentioning.
Uhm, is the whole backup component to the whole security stuff and a lot of people separate that out.
And I’m not a believer.
That, and you know, those on Twitter and those on LinkedIn and those who listen to put this podcast know I’m a big proponent of you.
Did a backup?
Have you ever tested to restore?
Do you actually know your restore?
Words and that comes from my days in an enterprise environment.
Where we used to do disaster recovery to make sure our restores actually work properly, and I think that’s the other component.
So what people don’t realize is security.
The functions patch that provides is one part of the solution, but it’s not all the solution.
I can tell you from the business point of view, like when we were called web arts.
Obviously we’ve learned so much over the years, like we did mistakes we.
Kind of, you know, already started to move the.
You know the in in from now from the current perspective in the kind of wrong way and we started to turn turn web are expect then also into something that you know would cover everything because that is something that the WordPress ecosystem is used to like all in one.
Solutions I want to have.
I want to buy one thing one click install, set it, forget it and then basically I mean I have everything.
Like I guess in in terms of security, there’s so many problems with that already.
From the fact that.
Said it, forget it is already a wreck of really bad thing to say in security because that means that you’re removing yourself from the process.
Which is the most important part because security has to be thought of as kind of a process of.
Or like a kind.
Ongoing effort of you know, staying secure it’s not something that I apply or like a press, a button and now now it happened.
But yeah, with Web works as well, like at one point our platform included backups.
We even started like looking into like different kind of stands like in terms of like we like.
We stand for crypto miners.
On the webs.
Like we went like way too broad and what happens then is that.
You can’t do really like everything very well at the same time you need to have focus and you need to realize that if we want to like solve one problem.
In the kind of ecosystem that we see is like a very prominent problem and do it really well.
We need to stick to it like and we need to like really stick to it and that actually came to a point where we completely even rebranded company decided to drop a lot of features from the.
Product and then just thought that OK all our resources is going to go into solving this problem and that has been the biggest and the greatest positive impact for the company that we’ve had so far.
Yeah, I’m sure it would.
Now we know this space is a little crowded.
There’s several big players in this space, including one that’s owned by automatic directly.
What separates Patch stack from your competitors in the security space in your opinion?
Right?
And I think it is very much connected to the approach that we are taking from the kind of.
Methodological standpoint, or like how we actually approach security in general in terms of how we are trying to perceive it, not the bulk or like we’re not.
We’re trying to avoid selling fear, for example, and at the same time what we are trying to.
Do is we?
We know that this isn’t a problem.
I mean, we now come up with a solution and then we are solving it.
We we have realized and I think anyone who is in the space eventually realizes that this is not something that you can solve alone.
So what Patch Stack does is that we are actually connecting the plugging vendors.
The developers of the plugins, and ethical.
Crackers together with the technology that.
We are building.
To be able to cover as much as possible as fast as possible and to be as effective as possible.
And that can only happen if we really work on the community.
Aspect and this is something that we’re doing very hard.
We have hashtag alliance that is basically about hunting kind of community or platform.
For WordPress plugins.
I mean you can come to me report the vulnerability in a plugin that these like random.
Talking from WordPress.
That order episode reported.
Sorry and.
And we basically score you for that.
I will give you a score for contributing to the work for.
Security at that moment we basically reach out to that developer and make sure we help them to apply the right fixes and at the same moment we add this information to patch that database.
Which is going to kind of give that information to the wider public and then also at the same time our like Patch Stack app users who use our size application for the firewall and protection they actually get like.
Some firewall rules for these new vulnerabilities and so forth, and these and this this researcher in case, for example, you who reported this vulnerability to us, we make sure that we pay you, and that that takes away the problem on the ecosystem where so many open source plugins like workers, plugins.
They might not have business behind them, which means that they might not have.
To get security audits for exam.
But for us to be able to cover that, we just build.
We just do that with building that Community security community behind workers.
So there’s a couple of things I like really like here, and I’ve always liked looking at Patch Stack. Is your community focused and a really good example that we were talking before we went to record patch stack? Put out your 2021 report.
And then there was rebuttal on Master WP about the report.
And then recently one of your team Robert posted an article kind of clarifying that record addressing the criticism, and I thought the whole key was continuing to educate the community and and saying, hey?
Let’s help you guys, and let’s turn this into a positive and I think that’s one of the things your company does really.
I think yeah.
The key key point here in terms of anything related to community or building community or doing anything related to communities.
The discussion.
We were actually really in a weird like I don’t know if you noticed, but we actually shared the criticism about our White Paper.
Through our own channels like we actually shared the article that criticized.
Their own company, and we shared that hey look how?
Good criticism that is.
’cause there was a.
Very good point and the idea of why we want.
To share that.
And why we also like wrote or like why Robert wrote the response to that was that this opens up the discussion and discussion is exactly what we need in the space right now.
We need to have an open discussion about security.
We need to understand that fixing security issues.
It’s a good thing it’s not.
That, Oh no.
Someone found the vulnerability in my plugin, let’s avoid.
Kind of, you know, let’s not put any attention to that, so maybe nobody is going to.
Talk about that.
So you know we’re not going to get bad publicity, but no, we need to talk about that.
And we need to talk about that so much that people get used to it and that people understand that fixing security issues is a really good thing and you should actually trust.
The plugins will fix more security issues than less.
Yeah, I I.
Agree with you.
We were talking about that earlier and I kind.
Of remember coming out at a free miass mess that we had a couple weeks ago in this space, the biggest SDK issue we’ve ever had.
In this community.
And you know it’s funny.
One of the companies that was at the top of the list was the events calendar and and you know it’s and I shouted.
To those guys, because the stuff on his team always do a great job in fixing stuff and they were patched and recompiled and ready to go right away and we’re still out of that mass at the time of this record, we’re still looking at about 50 people.
Change the plug in.
Developers who are either ignoring it or not in business anymore, whatever reason and.
I think ignoring security issues is frankly a big problem for and for me that’s a trust issue.
Like why would I trust somebody who doesn’t want to fix what they produce?
Indeed, and what we have like what coming back to the kind of Patch tech alliance?
Kind of connecting to developers with ethical hackers.
Part of The thing is that what we also see is that sometimes ethical hackers who are reporting vulnerabilities about, like some plugins to us they are not seen as trusted open source by the vendors.
But more like some annoying type.
Of people on the web.
But in reality they are contributing to the open source.
As much as the.
Developers do, right.
But at the same time we also see.
You know, apart from sometimes getting completely ignored, some don’t even have the capabilities to fix those issues.
I mean we when we work with vendors like we do security audits for plugins like really big ones, they come to us and get like these like we offer that as a service separately as well.
But also like.
We kind of intermediate security reports made by ethical hackers through the alliance platform and.
Then we kind.
Stay in the middle of translating that security information to the vendor and telling them.
Like you should.
Fix this and this here so you know this.
Vulnerability would be patched.
And what we also see sometimes is that the owner of the plugin is actually not the.
Developer of the planning.
That that the.
The owner of the plugin had outsourced creation of that plug in some time ago, so right now even though he’s replying to us, he doesn’t actually have any understanding of.
How to fix?
That either so there’s a lot of like these different edge cases and different angles.
That we need to kind of.
You know, keep in mind when dealing with security and understanding, like why the situation is how it is right now and all of that needs open discussion, yeah?
And it’s things like honestly, WordPress is now over 40% of the market. The bigger market share becomes, the bigger the target you are. It becomes things like we know since COVID.
With all the lockdowns everybody at home, so that means the hackers are at home too, with nothing better to do, and then you toss in the mess with the Ukraine that’s going on in Russia right now.
And before we went to record we were talking about the increased somebody attacks that were going on in denial of service attacks.
And that’s just the nature that today war is not just fought on a physical level.
It’s also fought on an Internet level, and that’s a problem.
So when you factor all these factors.
It just means we actually have to be more aware and the key is to partner with somebody that helps you with your problem.
Then to ignore it altogether.
Definitely, and like everything that is getting a lot of attention is going to be.
Big impact on so copy it actually like like I mentioned previously before we hit record I mentioned like when we when when COVID uh like if you locked down and everything happened with the first wave.
We actually started keeping like a database of all the different kind of threats that use copied as a kind of back story, or like using copied as a like kind of yeah like in some ways like for phishing attacks and like.
Sending out, you know, kind of emails under the Vho and you know there was like all kinds of different stuff like even in the word press space where the the like the COVID infection map.
Plugging was new, but then basically I mentioned a lot of websites are are using an old version of a plugin that they actually just wanted.
To kind of.
Help people, I mean they.
Tried to help people and shared information, but someone was basically just hijacking the attention for malicious gains and this is happening with anything that is getting attention.
So like all of those, if we’re looking.
At the attacks.
That that are going on in terms of on the light of the whole thing that is happening in Ukraine.
Like not like all these attacks or like a lot of those attacks are not even associated with the war itself.
It’s just people who are gaining.
Some some sort of benefit from just kind of piggybacking on that attention it it’s sad.
So it is.
It’s really sad.
What I have to ask question and it’s not really a technical question.
What is patch tax?
Disclosure policies, so if you guys get a vulnerability.
How do you go about processing without getting too technical?
Reporting that, and what do you do with the plug in vendor actually says go away.
’cause it does happen?
It’s a good question.
It it does, of course it does happen.
I mean they they.
They’re often the go away is also like not responding at all at one point, so the go away can be and can be said in.
A different ways.
Yeah, but.
Yeah, we we.
Even actually have the the vulnerability disclosure policy on patch.com/database where we have that publicly available as well, because we are one of the three officially kind of announced CNA’s in the worker space which means that there is a like a.
Big organization in the world called mitral and for all the security vulnerabilities that are found in the world they will get like ID or like international ID called CDE and we are one of the companies in the space who has given the rights to apply CVS for.
Press so there’s.
Three companies.
It’s Patchstack, Wordfence and WpScan who is now part of automatic.
Yeah, so we need to have this like.
We have like.
A very kind.
Of a well work disclosure policy because we need to work on that on on these kind of legal barriers as well.
But that actually means that, like when our ethical hackers submittable nobility, let’s say they submitted to us today.
What happens is that we are going like we have internal team who goes over to vulnerability.
We make sure that the report has all the information.
About the vulnerability.
And so forth. And the.
Next step is that we are actually if if.
This vulnerability is something that.
May have affect.
The public already.
We actually release a virtual patch.
Ah, immediately to all our customers.
And then the second step is letting.
Know the developer.
That hey, there was a security vulnerability report made to us that is in.
Your planning.
We try to communicate to them as much as possible.
We basically.
Uh, we have a policy where I.
Believe we send out.
2 follow-ups and even if.
And if we don’t get any reply even then, then we basically go into the 30 days disclosure policy, which is that once we kind of see that there is no in action, then basically there’s 30 days when we can disclose the vulnerability to the.
Database to match the database into public so the users could actually.
Please take action to patch.
There’s patch their own websites or remove the plugin or or.
You know, have.
Any any way of remediating the situation when the developer responds to us, then we always negotiate the disclosure timeline if they, if they really like.
If they’re really into like OK, we want to communicate this to our customers and tell them they need to.
You know update and like.
If they take it seriously, if they listen to us, and if they actually fix.
It then you know that all.
Well, not like oh we are going to just disclose it right away when we can.
It’s not our goal to just disclose vulnerabilities.
Our goal is to make sure that there is, as you know.
Uh, as low impact on the security of the websites as possible in terms of getting, you know, breached and so forth.
So that means they need to be aware of that, but we also want to make sure that we don’t give that information to the wrong hands who might just.
You know, exploit that instead.
Yeah, and it’s worth asking, how do you handle 0 days?
And for those who don’t know, a zero day is basically a vulnerability that ends up in a while that somebody turns around and discloses.
Doesn’t go through the 30 digits, Caldwell says.
So how do you guys handle those?
So one of the things that we do at patch.
Tag like we have.
I guess at this point.
We probably might have like.
At least one of the.
Biggest vulnerability databases about WordPress security vulnerabilities.
I mean partly because I think we have a competitive advantage here just because we have that big Community that is reporting vulnerabilities.
To us on a.
Daily basis so we get a lot of those new vulnerabilities.
Decided first.
But at the same time, what we what we see is that in such cases where a vulnerability is being exploited before anyone is aware of that vulnerability even existing, you know, except except the hacker itself, and then for those situations we basically work together.
With our partners.
So we our partners are like hosting companies like you know, Best C Panel, Beijing and so forth.
So we get like some level of insights in.
That kind of attacks are happening somewhere, so we can dig more deeper into OK.
What that vulnerability might be based on, like how that attack looks like and the other thing is that we have like 2 layers of security that we are providing to our customers.
One is diverting patches which is for every vulnerability that you see on patch that database.
We create the specific.
Virtual patch or like a firewall rule if you say.
Which has been.
Blocking any malicious attempts against this specific vulnerability.
So if you have a website that runs like a plugin that has you know disclosed vulnerability today, but you haven’t been able to.
I don’t know.
Update it instantly then you actually already have like a virtual patch enabled by patch.
Check on your website so the attacks.
Or being blocked?
The other thing now is that if there is no information that there.
Is a vulnerability.
In that plug in.
Android is being exploited then we have the second layer which we call like a generic or West player which.
Is basically like a more.
Kind of a regular set of firewall rules that block against like SQL injection.
And like all these different kind of vulnerability types that there are that is not specific to a plugin or not specific to our vulnerability in a plugin or theme, but it is a specific filtering engine that tries to avoid like weird kind.
Kind of use of of your website or like weird inputs that may look like an and malicious exploit.
No, that’s that’s really interesting and really helpful.
UM, is there anything else that, UM, Patch Tech does differently or than your competitors?
That’s worth noting.
I think in in, in general, I think it’s the Community and to focus I, I guess, like the fact that we are just so heavily pushing towards, uh.
Towards the aspect of, let’s like solve the problem from the root and actually make sure that the websites don’t end up with vulnerabilities in the first place.
So we are really like we’re doing our internal research and we are actually giving kind of or giving back to the community of ethical hackers who help us identify new vulnerabilities that are existing already in the you know word press repository and and also on the premium plugins because workers that already is not the only place where you have.
I think our company is still number one in terms of the amount of vulnerabilities discovered in Envato marketplace for example.
Like all the premium plugins that you know, you don’t even see on the workers at all, so I think like this attention on the plugin vulnerabilities and then also working together with vendors.
This has given us a very good experience in terms of also providing like security audits for the vendors.
The plug, like a bigger plugin developers who understand the the importance of security and they get like regular audits by us.
And then yeah the the the whole.
The whole overview or like the whole.
Combination of you know, kind of getting the community there and actually rewarding ethical hackers for contributing to work for security.
I think this is a it.
It all may look a little bit like.
Is just something that we are like doing to give back to the community, but at the same time this all translates into better security ecosystem in general and also a a bit of a competitive advantage in terms of what we can provide to our customers.
Yeah so.
True, if somebody is looking at Patchstack.
What is the best way and what’s the best way to get ahold of you?
You can always.
Reach out to me at Twitter.
It’s @OliverSild
And I guess yeah you can just.
Go to https://patchstack.com/.
We have free version that is free for 99 webs.
It’s quite a good deal I think.
And and yeah, like if you have like a lot of websites, you can just, you know, connect your websites.
We patch the gap you’ll.
Let’s say you have 50 websites you can just connect them with our SAS panel and you.
Will get notified about any vulnerability that has been found in your website.
Any vulnerability that Patch Tech alliance or the ethical hackers?
Community is reporting to us, you would.
Be the first.
To know about those issues too.
And so on.
So this is something that you can use for free for digital agencies who have like hundreds of websites, and they also need protection against these vulnerabilities.
We have patched that business plan where you just pay a fixed price and you can add as many websites as you want and have like a full set of features for that matter.
And then yeah, if you’re a hosting company, for example, you can always reach out to us.
We can give you a threat.
Intel feeds you.
Can get the API access through to patch that.
Database, so you’ll always know about new vulnerabilities that may affect the customers within your hosting.
Environment and yeah, if you’re a plugging vendor, if you’re a developer of the plugging you have the biggest impact to make.
So if you want to make sure that that you’re plugging is secure and you know there isn’t a vulnerability that someone could kind of exploit, the best way.
The best thing to do is.
Show it to hackers, show it to the ethical hackers who.
Can find these issues and tell them to you instead of a bad guy finding them and using it for something else.
So reach out to us.
We can also help with security auditing your plugins.
Thanks, Oliver, for jumping on and talking with Patch Stack and the history and the story behind it as well as where you’re going.
Have an amazing day.
Google Podcasts
PocketCasts
Radio Public
Spotify
Stitcher
Apple Podcasts
Amazon Music
