Noname Security was started in 2020 by Oz Golan and Shay Levi. As the story goes, when the founders were required to write down a company name on a legal document, they wrote Noname because they had no name at the time; hence, the coolest company name in the security industry was born.
The startup raised $135M in December 2021, bringing its total to $220M. Also, they became a unicorn. They are the most impressive startup in our lineup for two reasons: 1) they reached unicorn status within two years after being founded, and 2) they boast of working with 20% of the Fortune 500. By the way, Its arch-rival Salt Security, the other API security unicorn, is located a mere 20-minute walk in Tel Aviv.
- Company: Noname Security
- Founded: 2020
- # of Employees: 302+
- HQ: San Jose
- Raised: $220M
- Founders: Oz Golan (CEO) and Shay Levi (CTO)
- Product: API Security
- Customers: 20% of Fortune 500
Noname is a leader in API security. The startup secures APIs throughout the entire lifecycle, from the build phase to runtime. One of their products is Active Testing, which launched on May 4, 2020.
Active Testing was developed to address the challenges in securing APIs early in the build phase. The team figured building a tool to meet this need could save customers 10x to 100x in remediation costs. Once vulnerabilities move from the build phase to production without being identified, the costs of a breach are magnified significantly.
Active Testing integrates into the CI/CD process with minimal work. Just connect it to an existing environment, not deploy it, and the magic begins. Securing APIs during the build phase is referred to as Shift Left.
WAF, API Gateways, and API Security
The chief message from API security platform vendors is that WAF and API gateways are inadequate to protect against targeted API attacks. The startup points out that there are hundreds of ways to attack APIs that fall outside the OWASP API Security Top Ten, so more is needed.
One thing they agree on, as well as the industry, is that the WAF is the foundation for the security stack. Other tools like gateways and API security platforms are layers that all work together to shore up a company’s defenses and security posture. Noname describes the purpose of each tool:
- API gateways authenticate and authorize access to the API, which should be placed before API endpoints. Features usually include rate-limiting, allowlists, blocklists, routing, and traffic management.
- WAF protects against various attacks, including application attacks, UDP attacks, high-volume attacks of any kind, content scraping, etc. Many are signature-based.
- API Security Platforms allow users to detect misconfiguration and vulnerabilities and monitor attackers across the infrastructure from the build phase to runtime.
- Inventory all APIs and auto-classify data types
- Active Testing detects vulnerabilities in the build phase
- Identifies misconfiguration and vulnerabilities in runtime
- Protect against business logic abuse, data theft, and fraud
- Provides Swagger/OpenAPI files and specs