Noname Security, the provider of complete API security solutions, is announcing the general availability of Active Testing V2, the latest iteration of the API security testing solution that eliminates vulnerabilities and ensures compliance in the midst of rapidly changing regulatory requirements. Active Testing V2 enables enterprises to protect their APIs before production, ultimately driving a “shift left” approach that adds API security into the application development process.
According to Noname Security, many APIs are not tested for security before they begin production; despite quality assurance and limited testing tools, APIs are at the whim of potential threats while withholding an enterprise’s most sensitive and valuable data. Data like personally identifiable information (PII), personal health information (PHI), and payment card industry (PCI) information is left vulnerable without a robust, thorough API security testing solution.
“API vulnerabilities are starting to become front and center for most organizations. The cost of those breaches typically run into the millions of dollars, but they also take a lot of time, resulting in reputational damage as well, simply because APIs have become the default way systems interconnect and exchange data,” explained Filip Verloy, field CTO at Noname Security. “So, attacking these API's have piqued the interest of malicious users more and more because it's such a straightforward and easy entryway into organizations these days.”
Traditional approaches to security testing, such as SCA, SAST, and DAST, neglect to understand business logic that breathes life into an API, often using “fuzzing” to brute-force testing that only checks for functionality and basic frailties.
Piling onto traditional testing methods’ inefficiencies, many APIs are not even identified by SAST/DAST, leaving them untested and massively vulnerable to attacks. DAST is also relatively difficult to set up, requiring specific technological expertise that drains enterprise time to surface any sort of result.
“A lot of people have misunderstood and underestimated APIs,” said Verloy. “All of the prospects that we talked to, and all the customers that we have, they of course have an existing set of security controls already…but what ended up happening is that people tried to use those tools for API security testing as well, and that simply doesn't work. That's really why we needed this dedicated tooling.”
Noname Security Active Testing is purpose-built for easy API testing, able to find and test every API underpinned by business logic comprehension of any application. When developing APIs, there’s no real traffic being fed through it, leading to the often tedious manual labor of figuring out how all the working parts of an API will come together in reality. With Active Testing, this understanding of traffic is entirely automated, and is implemented directly into the application development process with ease—including continuous integration/continuous deployment (CI/CD) integration, dynamic or static API specification analysis, and more. The solution offers over 160 security tests of business logic exploits, as well as supports all major API types, including GraphQL.
The security solution’s developer-friendly user experience offers best-in-class usability, characterized by simplistic setup and automation, in-line test results, and contextual guidance. With a dynamic view of APIs throughout multiple states and environments, Active Testing easily locates when vulnerabilities are introduced and further prioritizes issues for review.
“At a high level, [this release is] about more automation, leading to faster time-to-market and less developer toil,” said Verloy. “There seems to be this drive to put more and more operational aspects in the hands of the developers themselves. [With Active Testing V2,] the idea is, if we can automate away all of these things [security], then they wouldn't have to worry about integrating security testing into their existing workflows…it becomes an almost invisible part of the developer workflow, and ultimately leads to more secure code, faster.”
To learn more about Active Testing V2, please visit https://nonamesecurity.com/.