An inherent issue: the web was designed to be open, not secure

HTML is, by its very nature, publicly readable code, which makes it easy for programs to interact with websites.

Unfortunately, that attribute has also been the web’s Achilles heel.

Today, most major website breaches are enabled by malware, bots, or other scripted attacks. Cybercriminals use these tools to attack websites in ways that are indistinguishable from legitimate usage and invisible to security products. Practices like blocking IP addresses and instituting rate limits are useless against adversaries who can obtain nearly unlimited numbers of new IPs and also disguise their traffic and behavior.

tech_A_v02Fig 1.

The code that implements the user interface of every web application is public and viewable, which makes it simple for cybercriminals to program attacks against them using malware, bots, and other scripts.


The key to building a botwall: Real-Time Polymorphism

The key to building a botwall is to address this fundamental issue of the web head-on. But how can one change the very nature of HTML, to introduce a new security model, while still delivering open markup code to web browsers?

The answer is a technique called real-time polymorphism.

The idea is to use a powerful tool of malware authors against them. Malware has long used polymorphic code to hide itself from antivirus products, by looking different every time it infects a new machine.

We can invert this concept to use polymorphism to disable the malware’s capability to send commands to the website. Shape has invented a patent-pending approach to implementing polymorphism in real-time on websites, allowing the site to constantly rewrite its code, while still delivering HTML, CSS, and JavaScript which preserve all of the web application’s functionality.


Fig 2. Shape has invented a category of security countermeasures based on the concept of real-time polymorphism.

This is one simple example.

The use of polymorphism lets you preserve the functionality of code while transforming how it is expressed. In this example, a simplified login form has certain attributes replaced with random strings.

The resulting code breaks malware, bots, or other attacks programmed to submit that form, but renders identically to the original.

This is one example from an almost unlimited number of ways real-time polymorphism can be applied.

A new category of advanced security defenses for the web’s user interface layer

We all know that cybercriminals don’t sit still.

They adapt and evolve to new security techniques over time, and sometimes very quickly.

Fortunately, there are a virtually unlimited number of ways real-time polymorphism can be applied to make websites inherently resistant to malware and bot attacks.

Shape has created a broad category of new security countermeasures based on this core concept of real-time polymorphism, which are implemented in our new product, the ShapeShifter.

These advanced security defenses allow you, for the first time, to protect the user interface layer of your website — where HTML, CSS, and JavaScript are transmitted — comprehensively and transparently, in a way that deflects attacks while not introducing friction for real users.

Leave a Reply