London – June 21, 2023 – Noname Security, the leading provider of complete API security solutions, today announced the general availability of Active Testing V2 to help organisations leave no API untested. As an integral part of the Noname API Security Platform, Active Testing is the easiest, most advanced, and most complete API security testing solution available.
Building on the success of the pioneering original version of Active Testing, the latest major version helps industry leaders to further "shift left" to stop vulnerabilities from reaching production, innovate faster, and ensure compliance with evolving regulatory requirements.
For Most APIs, Protection Comes Too Late
Today, most APIs are not security tested before they are pushed to production. Quality assurance (QA) processes review apps and APIs for functionality, and some APIs are run through security testing tools, but the limits of these tools means that most APIs are overlooked. This leaves APIs vulnerable, despite handling organisations' most important data, including personally identifiable information (PII), personal health information (PHI), or financial data such as payment card industry (PCI) data.
Forward-thinking organisations have embraced "shift left" and "DevSecOps" methodologies to incorporate security earlier in the development lifecycle. However, traditional testing tools and approaches were not designed to test the security of APIs, leaving organisations exposed. Current challenges include:
- Traditional testing approaches such as SCA, SAST, and DAST don't understand the complex business logic that makes APIs work, but also makes them vulnerable. Many testing solutions only use fuzzing, which brute-forces testing mainly for functionality and only the most basic vulnerabilities.
- Furthermore, many if not most APIs are not even identified by SAST/DAST tools and not actually tested. This is what security experts call "reachability": the ability to successfully consume an API for testing, including both functionally (e.g. "HTTP 200 OK" status) and a logical response (e.g. the body of the response includes expected values).
- DAST especially requires specific calibration to the programming languages used, require significant expertise to set up, offers only limited coverage of business logic, and can take days to deliver results.
Secure From the Start: Shifting Left with API Security
Noname Security Active Testing is a purpose-built API security testing solution that helps organisations easily add API security into their application development process, including continuous integration/continuous deployment (CI/CD) integration, dynamic or static API specification analysis, and more. Built to complement existing security tooling and processes, Active Testing helps organisations to:
- Leave no API untested with a unique ability to find and test every API based on an understanding of the application's business logic.
- Shift left with integrations into the entire software development lifecycle (SDLC). Teams get dynamic API visibility across multiple states and environments throughout the CI/CD process.
- Empower developers with best-in-class usability such as simple setup & automation, in-line test results, and contextual guidance for request failure mitigation.
"Testing the security of APIs in development makes good financial sense," said Shay Levi, CTO & Co-Founder of Noname Security. "Fixing issues earlier in an API's lifecycle can reduce remediation costs by 10x to 100x. With rising costs of re-writing code, regulatory fines, delays to new products, brand impacts, and the drops in shareholder value after breaches, it's no surprise that industry-leaders are actively addressing API security in development."
How Noname Active Testing Helps Eliminate Vulnerabilities
Built from the ground up to specifically address the challenges of testing APIs for security vulnerabilities, Noname Security Active Testing includes:
- Developer-friendly user experience for full coverage and adoption.
- Easy integration with development processes, including CI/CD pipelines, dynamic & static specification analysis, and more.
- 160+ security tests of business-logic exploits, including the OWASP API Top Ten.
- Best-in-class reachability to adapt to the unique business logic of APIs and applications.
- API lifecycle and environment awareness to easily identify when vulnerabilities are introduced and prioritise review.
- Support for all major API types, including GraphQL.
In addition to Active Testing, Noname Security continues to innovate across the entire Noname API Security Platform, including additional capabilities for securing Kubernetes clusters, eBPF functionality, inline remediation options, integrations, and further AI/ML customisation.
To learn more about how Active Testing can help you deliver secure APIs faster, visit nonamesecurity.com/security-testing.
About Noname Security
Noname Security provides the most complete, proactive API Security solution. Noname works with 25% of the Fortune 500 and covers the entire API security scope — Discovery, Posture Management, Runtime Protection, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and offices in Tel Aviv and Amsterdam.
C8 Consulting for Noname Security
+44 (0)7955 030191