Historically traditional security technologies have not been very effective.\u00a0For the better part of the last two decades, IT and security teams have been focused on defending the networks. Attackers have figured out how to work around network controls.Every five to 10 years a new technology comes along that needs to be tested, and according to\u00a0Kunal Anand, co-founder and CTO at Prevoty, language-theoretic security\u00a0is the next generation of application security controls that are broadening the solution space.According to Upstanding Hackers, "Language-theoretic security, or LangSec, is the emerging field of digital security that treats code patterns and data formats as languages and their grammars for the purpose of preventing the introduction of malicious code into software."LangSec enables companies to secure their prized data and applications without lag-time or delay. "It is security across initiatives," Anand said.Anand has been a bit of a fish swimming upstream as he has grown in his understanding of security technologies. One key question that drives his ongoing development in application security, he said, is asking, "Is there an ability for us to add security so that we can make sure those apps don\u2019t get compromised?"Across sectors and industries, whether it's an enterprise in financial services or retail, they all have a preponderance of software they\u2019ve developed. For most of these well-established companies, the issue with application security is rooted in the reality that they may not have the same team that developed that software, said Anand. Those vulnerabilities are exposed by attackers. \u00a0Understanding what controls can predict actions before they happen can strengthen security and mitigate threats, but how is it possible to predict an event before it happens? Anand said controls like run-time application security monitoring (RASP) and LangSec offer a deeper level of security than pattern matching."Pattern matching can block content in list of patterns, but attacker can get more specific and put spaces in between or insert upper\/lower case letters," said Anand. "With new types of attack, payloads are generated really quickly. Criminals are using scripts like JJencode, so how do you guard against that using patterns?"\u00a0When Anand worked at MySpace, he said, "We had to run thousands of patterns. The problem is that false positives and false negatives are high in pattern matching." When security is focused on anomaly detection, you first have to determine what is normal."Applications are always changing, some change up to 40 times a day. The thing you are trying to detect is changing because the underlying application is always changing," said Anand. \u00a0LangSec is the idea of understanding what something is going to do before it executes, so it looks at the intent within the context. Anand gave the example of network controls in SQL injection.\u00a0"Network controls are looking for 0s and 1s, but they aren\u2019t living inside the application. If you can see every database query going between the application and database, you can look at it the same way that the database is going to look at it. You don\u2019t have to guess. You can look at the query and understand exactly what it is going to do," Anand said.Coupling visibility inside the application and nowhere else with the idea of language analysis to look at HTML for things like command injection or SQL injection will allow security professionals to understand the way that the database would execute."We don\u2019t care about patterns because patterns change all the time. Applications are always changing. Data flow analysis may change all the time, but the benefit of being in the application is you don\u2019t have to guess," Anand said. The result is a much reduced rate of false positives at a much faster rate. \u00a0For LangSec to be\u00a0accurate, though, you need to look at the payload in the right context. "Building a LangSec\u00a0approach is really\u00a0difficult\u00a0on its own," Anand said. "An enterprise can have lots of databases that all\u00a0diverge in unique ways. Oracle may have different functionalities from SQL. You have to understand how each target system is going to execute. You have to build formal tokenizers and language analysis tools for each one of those pieces of the tool chain."\u00a0While some have overlooked LangSec as too theoretical or nerdy, more organizations are waking up to it. "Gaming companies are talking about applying LangSec." \u00a0The greatest challenge right now is moving security professionals forward, beyond the habits of defending the network. Anand asked, "How do you explain to people who are entrenched in patterns and pattern matching?" \u00a0The proof, as they say, will be in the pudding.