The Best of Shape Security 2018

“Hold on there, critics!” – Photo Credit: Warner Brothers

Focus on the Good Things

There are already too many blogs focusing on the bad things that happened this year. Focusing on the bad things in life makes you miss the good things. For example, reading through the reviews of all 61 “worst movies of 2018took us would take you 96 minutes (hint: the worst is not Rampage; that movie was awesome, and so true to the game’s aesthetic). And you don’t have to read “The Worst Rappers of 2018,” because you already know XXXTentacion and Post Malone are going to be on it. (Post, if you read this, we’re just kidding; call us! We left a Glock in your car, we think.) Or, the worst cryptocurrency of 2018 (answer: all of them).

Instead, let’s focus on positive things, like the best of Shape Security in 2018. What kind of things? You know, open-source software, funny moments, tech epiphanies, and playful microsites. Public stuff! But enough topical preamblelet’s just show you!

January – Unminify JavaScript Tool

https://github.com/shapesecurity/unminify

You might not have known this until now, but Shape’s architects are some of the smartest JavaScript experts in the world. Like, seriously, these are some of the guys who work on the JS standards. One fellow’s brain is so big he has to use an external brain pack. These genuses generously contribute to the Shape Security GitHub. Most of their tools are for solving problems beyond the ken of us mere mortals in marketing, but not this one.  

Unminify is “a little project to undo several of the horrible things JavaScript build tools will do to JavaScript.” Suppose a bunch of super-gnarly malicious JavaScript is scraping your site, but you can’t tell because it’s obfuscated and minified. Run it through Unminify, which will expand the JavaScript into something right out of Strunk & White’s The Elements of Style.

Warning: Check out the hilarious “safety” levels (below), which range from “useless” to “wildly -unsafe.” Come to think of it, those adjectives describe some of us at Shape marketing!

Installation:

npm install -g unminify

CLI Usage:

uniminify /path/to/file.js
  • --safety may be given to enable/disable transformations based on the user’s required safety guarantees. Refer to the safety levels documentation for more details. The value of --safety may be one of
    • useless
    • safe (default)
    • mostly-safe
    • unsafe
    • wildly-unsafe
  • --additional-transform may be given zero or more times, each followed by a path to a module providing an AST transform; the function signals that the transformation was not applied by returning its input

You can also use the unminify API. Lovely! Merry Christmas!

May: How Starbucks Combats Account Takeover

“When you don’t know what to give someone for Christmas, you give them a Starbucks gift card, right?” — Mike Hughes, Starbucks. LOL, guilty as charged right here. One Christmas, we gave out only Starbucks gift cards. The sheer global ubiquity of the green mermaid logo ensures that its gift card program will remain one of the largest, if not the largest, in the world. In 2013 and 2014, Starbucks was one of the most targeted online portals for gift card fraud. They turned to Shape Security, and they were blown away! Don’t believe us?

Starbucks: Why traditional security methods don’t work for ATO

In this sobering webinar, our co-founder and CEO, Derek Smith, draws the story out of Mike Hughes, Starbucks Director of Information Security.

This was the first time we ever got “official” with a customer—you know, like Facebook Official. If you’re looking for the SparkNotes on the video, read this blog we wrote earlier (while sitting in a Starbucks!).

July: 2018 Credential Spill Report

In July we released our marquee communique, the second annual Credential Spill Report. Shape has a unique perspective on credential spills and credential stuffing, because we see more re-used credentials than any other company on the planet.

Credential Stuffing Attacks on a Top 5 US Bank

The report is full of titillating details about 2018’s automated attackers. For example, the chart above shows five different attack groups hitting a Top 5 US bank at the same time. We actually split and track each group and give them cute names. The “Smooth Criminals” had the best and most unique credential list. Smooth Criminals, if you’re reading this, we want you to know that we’ve put you on Santa’s naughty list.

August: Blackfish Inner Workings, Explained!

In August, we answered the questions “What is Blackfish?” and “How does it work?” in our blog entry, “Look, Ma, No Passwords!” Spoilers: Blackfish uses a Bloom filter to store a set of leaked credentials, ensuring we don’t actually expose all those individual credentials again. Wait, what?

The celebrated 2017 NIST Digital Identity Guidelines suggest that organization check incoming credentials against a corpus of known already-leaked credentials. Sounds sensible, right? You’re nodding your head. Except, where is this known already-leaked credential list, and how are you going to check it? You could hire security researchers to build Pastebin scrapers and download breach lists and pay some shady hackers for their 1.4 billion leaked creds and jam them all into a database. And then try to secure that database so it doesn’t get leaked.

Or, you could just buy Blackfish, because we do all that for you, and we secure the database in such a way that if it’s compromised, no credentials leak. Plus, we’ve got credentials that aren’t even out on the dark web yet. It’s a total no-brainer. It even says that on the packaging. “Blackfish: No-brainer edition.”

September: Two FBI Agents Break It Down

Trends in Online Fraud from the FBI and Shape

M.K. Palmore, Head of the FBI’s San Francisco Cyber Branch, and our very own Dan Woods, VP of Shape Intelligence, who is himself a former FBI Special Agent, teamed up to fight crime and accidentally defenestrate an entire brigade of social-justice warriors. Okay, we made that last part up. But really, these are two of the finest speakers in the industry, and you’ll want to hear what they have to say about the best practices for fighting cybercriminals and financial fraud.

November: Exploiting Developer Infrastructure is Ridiculously Easy

Written by Shape’s own Jarrod S. Overson (“J-Rod,” as he known in the hood) on the beautiful Medium platform, this fascinating breakdown tells the story of a shadowy attacker bent on draining the last dregs from the bottom of the Bitcoin barrel. By exploiting the current, far-too-trusting developer infrastructure, the attacker put in place an encrypted payload designed to compromise a particular set of Bitcoin wallets. If you’re a JS developer, designer, HTML code monkey, or DevOps engineer, you’ll want to read J-Rod’s excellent analysis.

November: #1 Fastest Growing Company in Silicon Valley

In November, Deloitte recognized Shape as the third-fastest growing company in the United States, and the number one fastest in Silicon Valley, in their Deloitte Technology Fast 500 List. Some companies are excited about their 20% annual revenue growth. Shape grew 23,576 percent over the past three years. That’s a huge number! Millennials won’t understand this reference, but if you wrote the number on a check it would look like twenty-three thousand, five hundred and seventy six. Also, it would be in cursive, which they couldn’t understand either.

Actually, we shouldn’t mock Millennials, because a regiment of brilliant Millennials work at Shape, and we’re hiring more all the time. But not everyone we hire is young, or brilliant, or good looking. Take, for example, this guy:

December: The Hiring of B-list Cybercelebrity David Holmes

California’s recent ban on discrimination against the mentally unstable has finally allowed Shape Security to lure David Holmes from his padded cell in northern Colorado. Rumor has it that for a signing bonus he was promised access to the amazing catered food at Shape’s Silicon Valley HQ, plus a generous regimen of mood stabilizers. He is expected to pen blog listicles, research food journalism, and forget his corporate password 20 times over the next two years.

December: Shape and Okta Get Facebook Official

In December we unveiled our partnership with Okta. Okta is all about logins and authentication and authorization. That makes them a perfect partner for Shape, as we’ll provide Okta’s customers our frictionless defense against bots, credential stuffing attacks, and fake account registrations.

The Okta and Shape partnership extends across all major touch points: web, mobile, and APIs. To learn more about using Shape to enhance your Okta SSO and customer portals, check out Okta’s Shape page, where they have an Okta+Shape datasheet!

December: JPMC Inducts Shape Into Its Hall of Innovation

Once a year, the JPMorgan Chase Hall of Innovation recognizes select emerging technology companies for their innovation, business value, and disruptive nature. This year, the award was presented to Shape at the J.P. Morgan Technology Innovation Symposium, held in Menlo Park.

Rohan Amin, the CISO at JPMC, extolled: “We were impressed by Shape’s innovative approach to help enable a high-security, low-friction user experience… and we appreciate our partnership with them.”

Here’s to Another Great Year!

The Hall of Fame induction was a humbling moment, and one that seems like a great way to look back on the year. Frivolity aside, we hope you can see that it has indeed been a fantastic year at Shape Security, and we have every reason to believe that 2019 will be even better!

[Editor’s Note: If you were really paying attention, you probably noticed that the authors violated essentially all of the tenets of The Elements of Style, not to mention good taste, in this article, and even misspelled the word “geniuses,” which speaks volumes about their competence.]


#1 Fastest Growing Company in Silicon Valley | Deloitte’s Technology Fast 500

FastestGrowing_Linkedin.jpgToday Shape was recognized as the fastest-growing company in Silicon Valley and the third-fastest growing company in the U.S. by Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America.  Rankings are based on a company’s revenue growth from 2014 to 2017.

“We’re laser-focused on protecting our customers and we have an incredible team,” said Shape’s CEO, Derek Smith, who credits the 23,576 percent revenue growth to the company’s unceasing dedication to customer success. Smith continued, “This is why we are able to grow incredibly quickly while maintaining a 99 percent customer retention rate.”

00000IMG_00000_BURST20181114193632655_COVER  Derek Smith, Shape CEO, accepting the award on November 14, 2018.

“Congratulations to Shape and the other Deloitte 2018 Technology Fast 500 winners on this impressive achievement,” said Sandra Shirai, vice chairman, Deloitte LLP, and U.S. technology, media and telecommunications leader. “These companies are innovators who have converted their disruptive ideas into products, services and experiences that can captivate new customers and drive remarkable growth.”  

This is the latest honor for Shape, which has also been recognized by Fortune Magazine as one of the Top 100 companies in artificial intelligence, ranked by CNBC as one of the Top 50 most disruptive companies in the world, and named by Business Insider as one of the “25 Enterprise Startups to Bet Your Career On.”

Gartner Identifies Shape Security as New Deflection Technique

Avivah Litan
Avivah Litan, Gartner Research VP and Distinguished Analyst, highlights Shape Security her latest blog post.
To read more about her analysis on solutions for automated attacks, read below.

Gartner Research VP and Distinguished Analyst, Avivah Litan, mentioned Shape Security on her blog discussing the growing threat of automated attacks on websites. Shape Security has been mentioned in multiple other reports. The difference here is this blog that is publicly available for everyone (including those without a Gartner subscription).

According to Avivah:

[Shape Security is a] new web application security technique that scrambles website code using a process called polymorphism. This precludes the hackers’ ability to decipher how a web site can be attacked since the logic of the web application is no longer transparent (e.g. no more ‘in the clear’ HTML code).

In her blog, Avivah features Shape Security as a solution to these automated attacks. Specifically, she states that Shape’s polymorphic technology deflects malicious automation, preventing the attacks from executing at the point of entry. Deflection is better than detection – preventing attack is better that finding the attacker ex post facto.

Interested to learn more? Learn more here.

Shape Security Named a 2014 Cool Vendor by Gartner

Gartner designated Shape amongst new and innovative vendors in the application and endpoint security space. Gartner, the renowned technology research firm, recognized Shape for its impactful and intriguing application and endpoint security innovation for 2014.

The list can be found in the Gartner “Cool Vendors in Application and Endpoint Security, 2014” May 2, 2014 report.

Shape Security’s flagship product, the ShapeShifter, is the industry’s first botwall to defend websites against the most sophisticated automated threats — offering a comprehensive defense against major website attacks, including account takeover, Man-in-the-Browser and application DDoS attacks. By continuously refactoring the HTML, CSS and JavaScript which implement a website’s user interface, the ShapeShifter is able to automatically deflect sophisticated attacks against websites. By robbing cybercriminals of their ability to use malware for their attacks, Shape radically shifts the economics of web hacking.