You can’t secure what you can’t see — time to shine a light on APIs
Over the last several years, we’ve witnessed the rapid rise of APIs as the defacto interface for applications. New services and platforms are often developed with an API-first design philosophy with the APIs as the first class interface and the UI and/or CLI built on top of that API. The underlying reasons for this trend are simple:
- Automation: APIs make it a lot easier to automate the day to day.
- Componentization: Breaking down an application into multiple services communicating over APIs has benefits in both development and operations.
- Unification: You can have a single API serve multiple interfaces: web, mobile, tablet etc.
- Simplicity: APIs are essentially stateless channels to data and so they are faster and easier to develop.
- Collaboration: APIs enable business collaborations in a unified way with minimal friction.
However, this direction is not without its challenges. With the rise of APIs, the surface area of potential security flaws, data leakage or compromise has also increased.
Understanding The Core API Challenges
Oz Golan and Shay Levi, Co-founders at Noname Security, learned more about these challenges and then some when they interviewed dozens of security practitioners to better understand their top challenges. Over and over they heard the same sentiment:
We know we have tens of thousands of APIs, but we don’t have a complete understanding of:
- How many APIs are being used? Do I have a “Shadow APIs” problem? Any deprecated APIs still in production?
- How are my APIs being used and what data is being shared across them?
- Which ones present the most critical security challenges? And,
- What to do about those?
To us at Lightspeed, this feels similar to what we were hearing from customers earlier this decade regarding their use of SaaS applications. That lack of visibility into SaaS usage and associated risks led to the rise of the CASB market and iconic companies like Netskope (LSVP portfolio company). Similar lack of visibility in container based environments led to the rise of fast growing companies like Aqua Security (LSVP portfolio company). There is now an ongoing struggle within enterprises to track the rise of APIs and “Shadow APIs” and evaluate and address associated security risks.
Existing security controls are largely API blind and operate either at L3/4 of the network (IP address, domains, network segment based), or are focused purely on web applications (Web Application Firewalls). These products fail to provide visibility into the APIs and their usage, and are thus unable to provide an assessment of risk or help with mitigation of those risks. Newer attempts to solve the problem have built their entire architecture on the premise that organization’s APIs are all routed through a centric API Gateway — a premise that turned out to be false in all organizations we have examined.
Building a Comprehensive Platform for API Security
The Noname team took this feedback and went to work on building a comprehensive platform that addressed every aspect of securing APIs. The core capabilities they focused on include:
- OBSERVE: Discover all the APIs in your infrastructure, provide visibility into API calls across applications.
- ORIENT: Monitor and detect anomalous behavior at the API level, for both API requests as well as responses that may be leaking sensitive data to malicious actors.
- DECIDE: Decide which APIs are the most critical ones to fix using risk scores
- ACT: Assess which recommendations to implement to secure the APIs
This is the same OODA loop that has become a core framework among security practitioners (with roots in military strategy).
The platform is architected for seamless and easy insertion into a company’s existing application stack and to deliver visibility and results within minutes — no application changes, no changes to the deployment, nothing inline. In our customer calls, security teams loved this aspect of the platform.
One CISO compared the first few minutes after installation to the moment in Matrix when Neo sees the code and truly understands what’s going on!
The platform then ingests this raw data, and uses ML/AI to infer and reconstruct all of an application’s APIs calls, their structure, and the associated data, to build a real-time graph of an application. Once installed with a few clicks, the platform provides deep visibility into APIs and sensitive data, provides actionable insights, and allows granular policy definition.
Rapid Enterprise Adoption
One thing that stood out even in our earliest conversations with Oz and Shay was how obsessed they were with understanding customer pain points. They have dozens of design partners — these enterprises get regular updates from the Noname engineering team and contribute back into product development with key insights on what features they’d like to see in the platform. Between existing customers and design partners, today Noname is engaged with some of the leading global enterprises in retail, banking, insurance, technology, and healthcare.
Today, we are announcing Lightspeed’s investment in Noname Security — leading their $25M Series A round. I’m thankful for the opportunity to be able to partner with this amazing team. We are watching the birth of a brand new category as the use of APIs continues to grow exponentially and the associated risks grow commensurately. The team is hiring rapidly across every function — sales, marketing, and engineering — please check out more details here: Noname Security and ask them for a demo. Whether you are an enterprise team trying to get a handle on your APIs, or a future team member, Noname would love to hear from you!
By Guru Chahal
Authors