Shape Security it hoping to strengthen the security of websites with the ShapeShifter, which uses code that constantly changes.
They believe that their product, which is compatible with JavaScript, HTML and CSS languages, will turn a website in a “moving target” that will make it much harder to be hit by hackers. Experts have chimed in and said that while it will still be possible to circumvent, for hackers that are dedicated enough to put the time in, it will also take them a lot longer to do so.
“The website looks and feels exactly the same to legitimate users, but the underlying site code is different on every page view,” Sumit Agarwal, who founded the firm, wrote on their blog.
“Ultimately, the ShapeShifter aims to stop non-human visitors from executing large-scale automated attacks,” he also said. “This may help break the economics of breaches like the one Target experienced in late 2013, by eliminating the monetisation path. Without automated scripts, many of today’s attacks cease to be economically viable.”
Dr Ian Brown, who is from the University of Oxford’s Internet Institute, believes that the ShapeShifter may be a viable product. “It’s an interesting additional tool for making it harder for attackers to break into systems, and one that can’t be trivially circumvented by attackers changing their behavior,” he said.
Ron Austin, another expert, though, thinks that hackers will still be able to get by, given enough time.
“The caveat to this approach would be looking for parts of the polymorphic code within the software that does not change,” Austin said. “This would then give the attacker a point of reference into the system and possibly allow a new attack to be created. This is difficult and would take time as the attacker would have to monitor the software.”
It definitely is an interesting idea, enough so that Shape Security has gained several big backers. These include Google, as well as Eric Schmidt’s own investment company, TommorowVentures, and Shape Security has raised $26 million for it.
[via BBC News]