Why we built Active Testing

May 5, 2022

Tomer Semo Research Team Lead

Post Featured Image

On May 4th, we formally launched Active Testing, an API security testing solution. This incredible product is the result of years of development and close partnership with our customers. You can read more about it in our press release and product page, but I wanted to write a bit about why we decided to build Active Testing, and why we believe that investing in API security testing is so important.

The Missing Piece: API Security Testing

When Noname Security started, we understood from customers that their existing “API security” solutions didn’t provide the protection they were looking for. We listened to customers, worked with them, and created the best runtime security and posture management solutions available for API security.

But we also understood that there was a big opportunity to be proactive and get ahead of the problem. What if we could stop API vulnerabilities before they ever made it to production?

If we could do that, not only would it help our customers shrink their attack surface for APIs, but it could also help them innovate and deliver secure APIs faster.

Stopping vulnerabilities early matters because once a vulnerability reaches production, it only needs to be live for a short time before the results can be catastrophic. If and when APIs are attacked, it can mean leaked customer data, millions of dollars in remediation costs, negative headlines, loss of customer trust, lower employee morale, and more. Even before that, outdated or missing documentation and miscommunication between security and development teams creates organizational friction.

Worse yet, many of these attacks can easily go undetected because it’s not necessary to move gigabytes or terabytes of data out (although that’s possible). More likely, it’s a very precise, targeted exploit such as a BOLA attack.

In many engineering teams today, security testing is often a last step in the development pipeline. After some basic checks, code is pushed to production and security teams become responsible for applications. Even in the best-run, most tightly integrated companies, there is often very little done to test the security of new APIs specifically, let alone those which are already in production yet changing constantly as they’re modified in new releases, sometimes on a daily basis.

Shift Left with API Security

The idea to get ahead of problems has been around in security generally for a while: shift left. Test early and often, throughout the development process, to produce better applications. But there weren’t great options for testing for API security specifically. Most traditional application security testing (AST) tools would only test for basic functionality or would throw random data at APIs to “test” them. 

However, APIs are different: they’re structured, logical, and always exist in the context of other APIs, applications, microservices, etc. They require purpose-built tools to handle these subtle yet very important differences.

From a developer standpoint, their goal is to create new code to meet customers’ needs, not to monitor the rapidly evolving cybersecurity landscape. That’s especially true of API security. They want to maintain speed and want solutions that don’t require additional manual steps or interfere with their day-to-day work. They want a seamless experience that provides valuable, actionable, and quick feedback and is integrated with their existing pipelines. 

The Solution: Active Testing

Active Testing is focused just on that: integrating with their existing process that already tests their code, deliver our security insights, provide optional abilities to automatically reject code that is vulnerable. The developer doesn't press a single button more than in a CI/CD pipeline without Active Testing embedded inside.

Active Testing enables organizations to:

  1. Stop Vulnerabilities Before Production – Through dynamic analysis of APIs in development, companies can reduce remediation costs by 10x to 100x and, when issues do arise, remediate faster through quicker identification of anomalies and better coordination across development, IT, and security teams.
  2. Innovate Faster – Developers can now deliver secure APIs without having to become security experts, reduce drag from tech debt and refactoring for remediation, and reduce their application’s overall attack surface.

When Active Testing is used with Noname’s posture management and runtime protection products, the result is a continuous feedback loop that provides both greater security immediately and compounding reductions in risk over time.

We’re grateful that we get to work with so many amazing customers, including some of the largest companies in the world and in industries that affect all of our lives. Their feedback has been invaluable, and we’ll continue to listen to them, work with them, and create solutions like Active Testing that help them accomplish their most important goals.

If you’d like to learn more about Active Testing, schedule some time with us. We look forward to it.