Backed by a lineup of elite investors, start-up Shape Security has emerged from stealth mode by announcing technology it calls Shapeshifter that is said to prevent cyber-criminals from successfully attacking and compromising websites.
Shape Security has attracted $26 million in venture capital from Kleiner Perkins Caufield & Byers, Eric Schmidt's TomorrowVentures, Baseline Ventures, Google Ventures, Wing Ventures, Venrock and individuals including former Symantec CEO Enrique Salem.
By putting the Shapeshifter appliance in front of a website, every HTML page that is presented for viewing is subtly transmuted in its underlying code each time so that it won't look the same twice. "The key is not to change anything to the naked eye but everything the programmer cares about," explains Shape Security's vice president of strategy, Shuman Ghosemajumder.
This automatic altering of web pages to the external world creates a kind of deceptive camouflage designed to never let an attacker get a single straight shot to undermine the site through attacks such as cross-site scripting or application denial-of-service attacks.
Shape Security calls this "real-time polymorphism" and in some regards, Ghosemajumder points out, it borrows a page from tactics that malware authors use to constantly modify malicious code so it can evade signature-based detection. With Shapeshifter, "the website will constantly re-write itself wherever you deploy it, the HTML will re-write itself," he says. But for the visitor, the content looks the same as it might be otherwise.
The goal is to create a defense against some of the natural advantages that attackers have in deeply scoping out the websites they want to attack in advance. Shapeshifter's approach does require considerable processing power, Ghosemajumder acknowledges.
Because it is computationally intensive, Shapeshifter has to be tested carefully in any website environment. It can be deployed to a single web page, such as to protect a login page, or across numerous web pages. The amount of traffic and number of web pages will be factors in its use. Shape Security has no announcements yet on customers using Shapeshifter but says private betas are ongoing. Pricing for it is not yet disclosed.
Founded in November 2011, Mountain View-based Shape Security has three co-founders: CEO, Derek Smith; vice president of product management Sumit Agarwal, and chief technology officer Justin Call. Agarwal is the former senior advisor of cyber innovation at the U.S. Department of Defense as well as former deputy assistant secretary to the department. Prior to that he was head of mobile products at Google.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected]