A young company's new approach to cybersecurity promises to protect websites that, by their nature, expose their underlying code.
FORTUNE — There’s a reason why you don’t hear much about security startups — there aren’t that many out there. Unlike social media tools or mobile apps, developing cybercrime-fighting software can take lots of time. And most investors, not to mention customers, don’t want to put their money and trust in a twentysomething, first-time entrepreneur.
Enter Shape Security, a Mountain View, Calif.-based startup that launched late last month. The company, led by a team that comes from Google GOOG and the U.S. Department of Defense, spent the last couple of years developing its “botwall” technology. The product aims to protect websites by constantly mixing up a website’s code, making it difficult for automated attacks — bots — to scrape users’ private information.
“Quite often an attacker’s script will polymorphically change,” says Shape Security CEO Derek Smith, using an industry term for the act of rewriting code to avoid antivirus detection systems. “We’re taking a page from them and changing the structure of a website to change with each page load.”
This innovative approach of fighting fire with fire — and the seasoned founding team running the company — has helped Shape land a total of $26 million from venture capital firms like Kleiner Perkins Caufield & Byers and individual investors like Google’s Eric Schmidt and former Symantec CEO Enrique Salem. (KPCB was also an investor in CEO Smith’s previous company, Oakley Networks, which sold to government defense contractor Raytheon in 2007.)
Smith says the company will likely announce customer names at the RSA Conference in San Francisco later this month. Right now the product is sold as an appliance, called the ShapeShifter, which companies can purchase and hook up to their web servers. But in the near future, Shape plans on rolling out a cloud-based version of its software. How quickly Shape can get big e-tailers, financial services companies, government agencies, and other customers to sign on remains to be seen. But the startup’s founders say they have overcome the biggest technical challenge so far: getting their product to jumble software code without slowing down a website.
“We have to be able to do it in a way that doesn’t add any latency to the customer experience,” Smith says. “There can’t be any customer friction. That’s very difficult to do.”
Now that the company has emerged from stealth mode with a splashy launch, it should have an easier time recruiting people — another challenge it has had in past months. The 60-person Silicon Valley company could soon be hiring engineers with mobile, not just cybersecurity, skills. Smith says the next step is taking Shape’s core “polymorphism” approach to mobile apps. “Once their website is protected, the next most vulnerable are mobile apps so it makes most sense for us to protect those next,” Smith says.
What comes after mobile? Well, Shape will first have to prove its ability to ward off large-scale attacks — online and via mobile apps — and show the world that security startups can bring some fresh thinking to guarding against the growing cybersecurity threats. Even with deep-pocketed, connected investors and a seasoned management team, that could prove to be a challenge.
Correction: Due to an editing error, a previous version of this story likened Shape Security’s product as “crimeware-as-a-service.” Its product is actually used to defend against it.