Noname Security, leader in providing complete API security solutions, recently announced the general availability of Active Testing V2 to help enterprises leave no API untested. Active Testing is an integral component of the Noname API Security Platform and is the easiest, most advanced, and most complete API security testing solution available. The new version of Active Testing builds on the pioneering success of the original version to help organizations further “shift left” to innovate faster without letting vulnerabilities reach production or neglecting compliance with ever-changing regulatory requirements.
Most APIs Reach Production Untested
Unfortunately, a majority of APIs today are pushed to production without being security tested. Quality assurance (QA) processes evaluate APIs and apps for functionality, and some APIs are run through security testing tools, but these tools’ limitations leave most APIs overlooked. As a consequence, despite handling enterprises’ most important data, such as personal health information (PHI), personally identifiable information (PII), or financial data including payment card industry (PCI) data, APIs are left vulnerable.
Enterprising organizations have shifted left and leaned into DevSecOps methodologies to integrate security earlier in the development lifecycle. However, traditional testing approaches and tools were not developed to security test APIs, exposing organizations to vulnerabilities. At present, security challenges include:
- Traditional testing approaches such as SCA, SAST, and DAST are unable to comprehend the complex business login that makes APIs work and also makes them vulnerable to threat. Several testing solutions only rely on fuzzing, which brute-forces testing mainly for functionality and the most basic vulnerabilities.
- To make matters worse, most APIs are not identified by SAST/DAST tools and not actually tested. They lack “reachability,” which is the ability of a testing tool to successfully consume an API for testing.
- DAST needs specific calibration to the programming languages used and significant expertise to set up, provides only limited coverage of business logic, and can take days to deliver results.
Shift API Security Left with Active Testing
Noname Security Active Testing is a purpose-built API security testing solution that lets enterprises easily integrate API security into their application development process, including continuous integration/continuous deployment (CI/CD) integration, dynamic or static API specification analysis, and more. Active Testing is built to complement existing security processes and tools, allowing enterprises to:
- Shift left with integrations into the entire software development lifecycle (SDLC). Teams gain dynamic API visibility across multiple states and environments throughout the CI/CD process.
- Leave no API untested with a unique ability to discover and test every API based on an understanding of the application’s business logic.
- Offer developers the best-in-class usability such as simple setup and automation, in-line test results, and contextual guidance for request failure mitigation.
“Testing the security of APIs in development makes good financial sense,” says Shay Levi, CTO & Co-Founder of Noname Security. “Fixing issues earlier in an API’s lifecycle can reduce remediation costs by 10x to 100x. With rising costs of re-writing code, regulatory fines, delays to new products, brand impacts, and the drops in shareholder value after breaches, it’s no surprise that industry-leaders are actively addressing API security in development.”
Noname Active Testing Helps Eliminate Vulnerabilities
Developed specifically to address the challenges of testing APIs for security vulnerabilities, Noname Security Active Testing includes:
- Easy integration with development processes, including CI/CD pipelines, dynamic and static specification analysis, and more.
- Developer-friendly user experience for full coverage and adoption.
- Best-in-class reachability to adapt to the unique business logic of APIs and applications.
- Over 160 security tests of business-logic exploits,including the OWASP API Top Ten.
- API lifecycle and environment awareness to easily recognize when vulnerabilities are introduced and prioritize review.
- Support for all major API types, including GraphQL.