It seems like a rather long winded way to say:
Security through Obscurity.
Startup Shape Security is re-appropriating a favourite tactic of malware writers in developing a technology to protect websites against automated hacking attacks. Trojan authors commonly obfuscate their code to frustrate reverse engineers at security firms. The former staffers from Google, VMWare and Mozilla (among others) …
Perhaps but the article implies that the code is continiously shifting and so has a better chance of staying obscure. Even if you manage to sucessfully attack the site once, it will change the next time you visit the page rending the previous attack less effective without any extra action by the owners of the site. Clever if it works.
Can't help but be reminded a little of the cyber warfare in GitS, in particular viruses that used the defenses of a system as an essential piece of their functionality. Let the arms race begin.
"The virus doesn't exploit weakness in the AV to bypass it and infect the system, the virus is a fragement of a full program and actually lifts the AV code to complete itself."
Yeah, that's par for the course in biology as far as viruses are concerned.
I imagine the idea is that the page is changed every time it is loaded. The changes would, I imagine, amount to changing the names of objects like text boxes, Javascript functions and session variables, among other things.
It sounds like the software also does auto filtering of posted data to guard against SQL injections.
Probably other stuff too which I can't guess at :-)
That's easy!
10 PRINT "Hello, world!"
20 PRINT "Hello, world!"
....
996 similar lines snipped.
....
9990 PRINT "Hello, world!"
10000 PRINT "Hello, world!"
There you go! Totally bug free!
(It doesn't do anything, but then that wasn't in the requirements)
Rather than scraping the site and parsing hypertext directly, automate a browser. Find out where the relevant UI elements get rendered in the page and from then on it's "that input element at that position, whatever it's called and however many zero-margin DIVs it's embedded in."
And yay, yet more patents pending on software. Guess this'll be kicked into the long grass for the next 25 years, then.
This sounds like a neat trick to make malware writer's lives a lot harder... It won't be invincible, it isn't a substitute for well written code, but it could dramatically increase the amount of effort malware writers have to expend, which would be a good thing. It could help browsers to identify replay attacks as well.
On the downside it's going to break caching of web pages which could trigger an upswing in traffic. But on the upside it'll make traffic interception more interesting and hopefully a bit more expensive. ;)
I don't need any more crap in the network racks when I already have the BGP routers, forward firewalls, load balancers, anti-malware engine, IDS/IPS system, web cache appliance, vpn gateways, rear-facing firewalls, packets shapers...
Typical Web 2.0 idiot programmer thinking: "I have no time to check my code for security bugs, I'm too busy inventing the next InstaSnapLinkedFaceGram+. Lets just make something to cover this up and make it the responsibility of the Dev/Ops team!"