Applications vulnerability scanning specialist Mu Security released its latest testing appliance on Dec. 11, designed to find potential weaknesses residing in any type of IP-based software program.
Sold under the product name Mu-4000 Security Analyzer, the new appliance is built around the companys Adaptive Analysis technology, aimed at product developers and service providers wishing to analyze security loopholes in any program based on the IPv4 or IPv6 industry standards.
The appliance was designed in particular to help developers find obscure vulnerabilities that could eventually be used to carry out IT attacks, including so-called zero-day exploits. The Mu-4000 is also designed to help telecommunications carriers and other service providers seek out and close holes in the technologies they support, such as VOIP (voice over IP) calling systems.
In addition to helping companies keep their IP-based applications up and running, Mu Security said the new appliance reduces outsiders ability to steal corporate information residing in the scanned programs.
Company officials said the Adaptive Analysis technology provides applications testers with hundreds of server and client-side protocol attack methods, using a large number of authentication techniques running over a dozen transport systems.
In addition to making the tools highly customizable, Mu executives said the appliances features will allow users to test for a wider variety of potential vulnerabilities than any similar device or application can promise.
The continued proliferation of sophisticated IT threats such as zero-day attacks, which exploit previously undiscovered vulnerabilities, makes it so that developers and service providers must begin testing their applications more rigorously or face potential disruptions in service, said Adam Stein, vice president of marketing for Mu, based in Sunnyvale, Calif. While traditional scanning tools have largely used known vulnerabilities and malware signatures to test applications for security issues, the Mu box uses “negative testing” to help identify new flaws and virus types.
“We think this is the more proactive way to approach the issue and ensure that problems are caught before applications get deployed on the enterprise and [become able] to expose other IT assets to attack,” Stein said. “We feel that our technology can help companies create a process by which they can address security issues before an application is deployed, or at the time of an upgrade, to ensure that it is vulnerability-free.”
Mu officials said they feel the company has gained a significant advantage over its rivals by bringing a product capable of evaluating IPv4- and IPv6-based applications to market so soon. The IPv6 standard is slated to become a requirement for government infrastructure applications in 2007 and is supported in Microsofts recently released Windows Vista operating system.
Mu said it tested the appliance with a number of major customers, including Alcatel-Lucent, Juniper Networks and Motorola, as well as a handful of undisclosed government agencies. During the tests, Mu said, Adaptive Analysis helped Digiums open-source communications technology software package Asterisk identify and remediate a previously unknown zero-day VOIP vulnerability.
“Companies are currently testing their applications, but not on the level of granularity necessary to catch everything; they dont yet think like a hacker does,” Stein said. “This is a true hacker-in-a-box approach; many companies are also adding new employees to do this type of testing, but almost everyone is being outstripped by [the] complexity of protocols, especially as applications are being more closely combined to work together. This product makes it so you dont need to try the few people who really know what theyre doing.”
The Mu-4000 is priced at $40,000 in base trim and runs as high as $300,000 for a model that includes all of the different protocol-mutation testing capabilities offered by the Adaptive Analysis tools.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.