<iframe src="//www.googletagmanager.com/ns.html?id=GTM-KXSCJR" height="0" width="0" style="display:none;visibility:hidden">

Why LANGSEC for Runtime Application Security? Because Patterns Can't Keep Up

Arpit Joshipura on Mar 10, 2016

photo-1431207446535-a9296cf995b1.jpegAge-old security is broken because it uses antique techniques 

Throughout the past ten years, security methods have remained relatively unchanged. These methods rely solely on signatures, heuristics and dataflow analysis and are focused on defending the networks. The problem is that hackers have learned how to work around predefined network controls. 

The majority of today's firewalls still have to run thousands of patterns to match for known attacks, and false positives and false negatives run high -- making it difficult to determine what is normal. These traditional methods rely on code that is constantly changing. The thing you’re trying to detect is changing because the application itself is always changing, causing solutions to be out of date as soon as they are created.

One of the areas most exploited by hackers is subverting user input into malicious execution within an application. These common attacks include cross-site scripting (XSS), SQL injection (SQLi), command injection, cross-site request forgery (CSRF), format string, stack overflow, heap overflow, and file inclusion.

According to a recent study by the Ponemon Institute, one in two enterprises need better application security. The question is, how exactly how do you go about continuously developing and releasing secure code without any vulnerabilities?

The New Innovation: LANGSEC

Language Theoretic Security (LANGSEC) introduces a new security paradigm. As defined by Upstanding Hackers, “LANGSEC is the emerging field of digital security that treats code patterns and data formats as languages and their grammars for the purpose of preventing the introduction of malicious code into software.” 

Prevoty uses patented LANGSEC technology and data analysis techniques to instantly and accurately identify any malicious behavior within an application. With no dependency on patterns, heuistics, signatures, taint analysis, behavioral analysis or learning, it is able to recognize an attack even if it has never been seen before and will deal with it appropriately without the risk of any false positives. This new method delivers security without signatures and works instantly. (See Prevoty CTO Kunal Anand talk about LANGSEC at RSA Conference 2016.)

To put it simply, LANGSEC is the idea of understanding what something is going to do before it does it. It looks at the intent within the context.

A departure from clunky, traditional signature security methods, language security offers a deeper level of security by predicting actions before they even happen to strengthen the security and mitigate any threats. LANGSEC is easy to implement at runtime, creates few false positives and false negatives and is 30 times faster than traditional approaches.

So what’s stopping everyone from making the switch to Runtime Application Self-Protection (RASP)? Nobody wants vulnerabilities in their code, but companies are already comfortable with the security methods they have had in place for years and years. It’s difficult for them to think beyond their habits of defending the network and the endpoints. It won't be long before LANGSEC technology becomes the new standard today’s application vulnerability detection and remediation challenges and the future of automatically secured applications. 


Back to blog





Arpit Joshipura

Arpit brings over 25 years of industry experience in enterprise IT and the security ecosystem to Prevoty. His past roles include VP of Product Management, Strategy & Marketing at Dell, through the Force10 acquisition where he was CMO. He has been instrumental in moving closed and proprietary IT and infrastructure to an open, secure and software-defined world. He has served in executive leadership positions in startups and enterprises in throughout the Silicon Valley.

Topics: WAFs, Startups, Application Security, RASP, Prevoty Technology, Application Security Monitoring, Signatures, Language Security, Innovation, LANGSEC, Heuristics, AppSec, Pattern matching, Cross-site Scripting, Command Injection, Runtime Application Self-Protection, Data Flow Analysis, Vulnerability remediation, SQL Injections, CSRF