Startup Mu Security looks to lock down code

A Sunnyvale, California, startup backed by US$4 million in venture funding and a team of former Juniper Networks Inc. executives says that it has developed a way to make networking products and applications more secure. Mu Security Inc. says it will soon begin selling a new vulnerability assessment product that lets technology vendors and enterprise developers test their products with known hacker techniques, allowing them to fix bugs before products are put into use.

The unnamed product, which is expected to ship by year's end, emulates millions of known hacker attacks and integrates this ability into the quality-assurance processes, according to Mu Security Co-Founder and Chief Executive Officer Ajit Sancheti. "We are bringing formal scientific methods to security analysis, so it's no longer something that's considered a black art," he said.

The product could be used by enterprises to test third-party software before purchase or to certify configuration changes and software patches, said Joe Furgerson, the company's vice president of marketing. "What we're doing is providing the means by which people buying a product can evaluate it for security readiness," he said.

Mu Security would not say whether the product will be hardware- or software-based, but more details will be revealed in March, Furgerson said.

Software vendors like Microsoft Corp. have spent a great deal of time and money over the past few years to build security into their product development process, and the benefits of secure software development are now starting to be better understood in the enterprise, said Melinda-Carol Ballou, program director for application-life cycle management software with research firm IDC. "Mainstream organizations are beginning to wake up to the fact that, 'Yes if I coordinated this as part of a best-practices approach from the beginning, it's going to save me money in the long run,'" she said.

Software vendors like Fortify Software Inc., Secure Software Inc. and Ounce Labs Inc. are already selling similar products, which analyze software's source code for security flaws. And even widely used integrated development environments like IBM Corp.'s Rational products and Microsoft's Visual Studio Team System are beginning to focus more on security, Ballou said.

But unlike these products, Mu Security's offering does not concern itself with source code, Sancheti said. "What we're doing is looking at a system like the world would, like the hacker would," he said. "We have no knowledge of the source code."

Mu Security's management team includes a number of the executives behind the OneSecure intrusion detection appliance, which in 2002 was purchased by NetScreen Technologies, before NetScreen was itself acquired by Juniper Networks Inc. Ajit Sancheti and Chief Technical Officer Kowsik Guruswamy both worked on OneSecure, and Joe Ferguson is a former Juniper executive.

Founded in March, 2005, the company employs a staff of 20. Mu Security's investors include noted venture capital firms Accel Partners and Benchmark Capital. Its Web site is at http://www.musecurity.com/.