Current Issue
This Month's Print Issue

Follow Fast Company

We’ll come to you.

1 minute read


What Is Polymorphic Code?

One of the most ingenious ways to make software more secure is to copy the programming patterns used in malware.

What Is Polymorphic Code?

[Image: Flickr user j bizzie]

A traditional form of attack by cyber criminals, polymorphic malware, has the ability to hide itself, changing variations with each new device while keeping its original algorithm. Since the code is continuously changing, it becomes somewhat obscure through multiple attacks, making it harder for the next attackers.

A startup called Shape Security has decided to use this programming pattern to the opposite ends: that is, to fight malware. Called ShapeShifter, it’s a real-time polymorphism technique that will rapidly change any website's code, eliminating the fundamental targets that malware aims to compromise. Vice president of strategy Shuman Ghosemajumder explains how the technology works to the Register:

By constantly rewriting the code of the website's user interface, malware, bots, and scripts simply have their capability to attack the website disabled, since their own attack instructions, as coded by their authors, are rendered immediately out-of-date and invalid. Meanwhile, real users, who do not interact directly with the website's underlying user interface code, are unaffected.

It makes sense that Shape Security would focus such a sophisticated method on the larger, enterprise companies who come up against millions of attacks. With a $26 million in backing, the company is poised for efficacy, though not without a steep price. While the company is still finalizing its pricing model—said to be in the seven-figure range—it is hitting a soft spot with investors such as Google Ventures, Tomorrow Ventures, and former Symantec chief executive Enrique Salem.

Another way the company is using polymorphic code is through targeting the age-old SQL injection attacks, which was the method of attack on 17 credit card companies and retailers last year that resulted in more than 150 million compromised credit cards. It's also the likely method of attack that recently brought down Target's database of 70 million cardholders’ personal information, according to a report by a cybsecurity firm called iSight Partners.