So What’s the Deal with Shape Security?

If you have interacted with me at all over the past 8 months I’ve probably mentioned something about the company I work at, Shape Security. If you knew me before you’ve probably wondered why I ever took a job at a hardware based security company. After running free community JavaScript training courses, speaking at web conferences, contributing to open source JavaScript tools, and running JavaScript meetup groups it would seem as though I’ve sold out to the highest bidder trying to get rich quick in Silicon Valley, which is very far from the truth.

That truth is that I joined Shape because it was probably the best opportunity I’ll have in my life to do something truly unique and valuable with incredibly smart people. Shape ended up being more of a web company than a security company.

  • Did you know that Brendan Eich is an advisor to the company?
  • Did you know Ariya Hidayat is the VP of engineering?
  • Did you know that Shape has released an open source JavaScript AST Spec (authored by Michael Ficarra and Bei Zhang)?

Shape, at its core, wants to deliver a solution that simply prevents web sites from being automated. Automation is seen as one of the clearest threats to privacy and security now and in the future. Have you ever been warned to change your password after hearing of sites getting hacked and losing umpteen million users’ email addresses and passwords? The biggest reason those breaches are a problem is because attackers will use automated tools to try and find out which user/pass combinations also work on other sites (an automation technique coined “credential stuffing”). This is only one of many, many, different problems that web sites face and why Shape has such a crazy valuable product in its hands.

If we get it to work.

This problem is hard. Really hard. You just won’t believe how vastly hugely mindbogglingly hard it is…

The way we’re approaching the problem is by developing a device that automatically transforms, modifies, & instruments web content on the fly. All without changing the end user experience and, preferably, without much configuration. Our poster example shows one seemingly simple technique we leverage to disrupt automation, basically just encoding ids, classes, and names of HTML elements every request and decoding them on the way back through. For example

<input id=username name=username>

gets transformed to

<input id=XNnatom3 name=a8zkahtk>

At first glance, the idea seems neat and understandable. At any slight depth, though, the idea quickly loses merit as the problem space is recognized to be paralyzingly vast along with the technique alone being virtually ineffective. Anyone with web experience can enumerate a dozen ways to retool around that technique and it still takes a massive amount of foundational work for us to even be able to do that at all. But, at Shape, there is clear awareness of the difficulty, and an understanding that this is a long term investment that will take a while to get any good at all.

Well that was a while ago and, now that it’s been a while, it’s getting good. Quite good. And it is fun as hell getting there. That technique above is one of many composable countermeasures that, when combined randomly, make it incredibly difficult to reverse engineer and automate a web application.

We’re based in the bay area and, like any company based in the bay area, we’re “always hiring.” If you’re interested, reach out. This is an odd company with odd needs, so lunch, coffee, or beer is happily on me if you just want to ask a few questions :-)

2 thoughts on “So What’s the Deal with Shape Security?”

  1. Hi, i am really interested in this real time polymorphism. But isnt there any other examples, so we can understand the concept more clearly. Can we communicate from somewhere ?

Leave a Reply