contact us

send us your message

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form

Science

LANGSEC

To address shifting challenges and stay aligned with a faster pace of application development, Prevoty has architected a solution based on the principles of LANGSEC and delivered as a Runtime Application Self-Protection (RASP) tool. 

This innovative model presents a significant change in the way application security is delivered to the enterprise. 

Keep reading to learn more about the science behind this award-winning technology.

Rooted in computer science academia, LANGSEC emerged as a vehicle for challenging traditional security technologies for many reasons, including:

  1. Signatures cannot keep up with an infinite number of patterns
  2. Statistically significant heuristics do not exist in an ever-changing DevSecOps world and requires constant tuning
  3. Applications cannot perform data flow analysis in production without taking a performance hit

What it prevents

LANGSEC solves vulnerability classes that arise from data input intentionally or unintentionally changing the expected behavior of an application. For example, LANGSEC can understand if a database query contains a tautology (or contradiction) or attempts to access an invalid column. LANGSEC can also block data input obfuscation or fuzzing, which is impossible to detect with traditional pattern-matching or regular expressions.

How it works

LANGSEC is the formal process of understanding how data such as content payloads, database queries, operating system commands and more will execute in an environment. The technique is akin to a real-time compiler for data input that is built from the grammar that comprises programming languages, browser rendering engines, database query engines, and operating systems and uses this contextual knowledge to detect and neutralize sophisticated attacks during execution.

Fuzzing

LANGSEC is a detection mechanism that is faster, simpler, and more accurate than traditional methods using signatures, heuristics & data flow analysis.

LANGSEC requires none of the following:

  • Regular Expressions
  • White Lists
  • Black Lists
  • Heuristics
  • Pattern Matching
  • Anamoly Detection
  • Taint Analysis
  • Data Flow Analysis

Enterprise protection with LANGSEC

The LANGSEC methodology is horizontal -- it can be applied to to a vast array of security products and solutions, with Runtime Application Self-Protection (RASP) being the first. 

Prevoty is the first to go to market with an effective runtime solution that utilizes the LANGSEC approach, with its own lexical analyzers, validators and parsers to effectively analyze and identify malicious behavior. Prevoty’s RASP implementation performs the most sophisticated form of application security instrumentation, understanding what content is going to do before code execution and neutralizing threats like cross-site scripting (XSS), SQL injection (SQLi), and cross-site request forgery (CSRF) without using unwieldy patterns or heuristics.

Benefits of LANGSEC:

Speed

  • 30x faster than traditional methodologies
  • Reduced CPU and memory consumption

Accuracy

  • No false positives or false negatives
  • Contextual payload analysis blocks fuzzing
  • Higher correct rate than scanners or tests

Ease

  • Low maintenance (no signatures or patterns)
  • Zero tuning or learning
  • Quick custom policies (domain and application-specific controls)
  • Reduces WAF upkeep

More Resources

Below are a few academic papers on LANGSEC for further perusal. For the most up-to-date information on research and theoretical advancements, visit langsec.org

Blog
RASP: The Proof is in the Pudding
Dr. Edward G. Amoroso, former CISO of AT&T discusses the effectiveness of RASP
Video
RSA 2016 Innovation Sandbox Pitch
Witness the Top 10 Finalists battle for the coveted title of 2016 Most Innovative Startup at RSAC Innovation Sandbox Contest.
Datasheet
Prevoty Datasheet
An overview of Prevoty’s application security products and how they can help enterprises improve their SSDLC
Analyst Report
Ovum 'On the Radar' Report
Why put RASP on your radar? Ovum's Richard Absalom investigates Prevoty's claims in his latest On the Radar report.
Analyst Report
Ponemon Report
New Ponemon Study Reveals Application Security Risk At All Time High: 1 in 2 Enterprises Need Better Protection
Video
Whitehat Partnership
Hear from the two founders on why they're working together and their joint vision for 100% remediation.
Webinar
Aberdeen Webinar
with Derek Brink of Aberdeen Group, focused on modern enterprise application security challenges.
Analyst Report
451 Research: Prevoty charges ahead...
Information Security Analyst Scott Crawford and Patrick Daly discuss what sets Prevoty’s LANGSEC apart from the rest

Discover how embedding LANGSEC into your applications can upgrade your runtime security strategy