9 min Security

Noname CTO: “Security will never be more important than the business.”

Insight: Security

Noname CTO: “Security will never be more important than the business.”

One of the basic tenets of Noname Security is that they almost never say ‘no’ when customers ask if they want to research and add something to their platform. We spoke to Shay Levi, the CTO and co-founder of this company that specializes in API security.

Shay Levi is currently where he more or less saw himself a while ago. “I always wanted to build a company and also always knew it would be a cybersecurity company,” he indicates. That it would be specifically about API security he could not have known at the time. Together with his co-founder (Oz Golan), whom he had known for about a decade after completing stints in the IDF and Facebook, he had several ideas: “We were looking at data security, SaaS security and problems with APIs in general.”

In the end, it was mostly a matter of finding pain points that organizations wanted or needed to address. Before Noname Security would eventually be founded by Levi and Golan, that was the main challenge. Hence, there were extensive discussions with their investor. Perhaps more important were the discussions they had with CISOs from large companies. “Those conversations caused us to focus on API security,” Levi notes. “Those CISOs really wanted to solve this problem, but didn’t know how.”

Rapid growth since 2020

Noname Security has been a so-called unicorn since the end of 2021. That means the company then represented a market value of at least $1 billion. Considering that the company was founded in 2020, that is an extremely rapid growth in market value. Part of this may have to do with the somewhat inflated rhetoric around API security. Gartner made a solid contribution to that last year, stating that APIs will be the primary attack route by 2022. Statements like that obviously drive up the market value of API security companies.

Of course, the rapid rise of a company like Noname Security is not simply attributable to rhetoric around the subject. API security does pose a problem for many organizations. We covered this quite extensively in the past years as well (see the links elsewhere on this page for some examples). Besides an extensive article about API security in general, we also recorded an episode of our Techzine Talks podcast about it. The latter is in Dutch, unfortunately, so we won’t promote it here. In addition, many CISOs also saw this problem, as we noted above.

Noname’s rapid growth is not entirely attributable to the choices they wanted to make at the company itself. There was a significant sense of urgency as well. “In March 2020, we understood very well that we had to enter the market very quickly with a relevant solution,” Levi indicates. They had to, because the problem of API security was only increasing. The culture within the company certainly helped with this as well, according to Levi. He talks about a pedal-to-the-metal culture within Noname. As a result, it took only five months to put together an MVP of their API security solution/platform. This wasn’t just any MVP, by the way, Levi says: “You could actually run this one, in a real environment.” Of course, it was not yet ready to be deployed in enterprise environments, he also readily admits. That followed very quickly after the MVP was released.

TIP: Last year we wrote an extensive story about API security in general and about Noname Security in particular. Click here to read that article.

Customers are leading for Noname

One of the reasons that Noname has become so successful so quickly, according to Levi, is the fact that they listen very carefully to their customers. That’s something we hear everyone saying these days. So we are not all that impressed by that statement itself. Based on what we hear from Levi, however, Noname doesn’t only talk the talk, but also walks the walk. The basic principle at this point is very simple, according to him: “We very rarely say ‘no’ to our customers when they want something.” The promise from Levi is that this will continue to be the case toward the future. Of course, there are exceptions here as well. For example, it is extremely difficult to cover all of the very rare APIs. That is why Noname will not enter the IoT market.

Saying that you will rarely say ‘no’ is one, the underlying technology obviously has to be able to handle it. Hence, Levi and Golan chose not to use a high-level programming language to design the platform. Everything is built in C and C++. “We need to do that if we want to be able to handle huge data streams as a platform and be able to scale,” he reasons.

At this point in the conversation, Levi gives an example of their customer-centric way of developing. Very early in their existence, Noname was asked if they could make their solution suitable for on-premises deployment. That was quite an undertaking. It is probably one of the reasons that other vendors of API security do not offer this. Noname did. “That’s why many organizations like to work with Noname,” Levi argues. The argument that something is difficult to implement should never be a reason not to do something, is his view. It most likely did help that Noname only just existed at the time of this request. Early in your existence, you often have a little more flexibility to adjust things. On the other hand, API security as a whole is a young market, so other vendors could have done the same.

Noname Security founders Shay Levi (right) and Oz Golan

Potential of API security is huge

Noname Security generally keeps an open mind about where the company may go next. In other words, how can they make API security as relevant is possible? “It all started with APIs that organizations build themselves, but we are now also moving more toward external APIs,” he indicates. This includes APIs used by other vendors, but also, for example, the large integration platforms on the market. API security now touches a lot of parts of the larger market. After all, almost everything is API-driven these days.

Seeing that there are huge opportunities for API security, however, does not mean that Noname is going to take it all on. “We understand that we can’t do everything,” Levi admits. “The first and most important goal is to be a leader in the API security market,” according to him. Beyond this goal, it’s a matter of listening to customers. And especially listening very carefully to what is relevant to them. What has the highest priority? That’s what Noname can or should then possibly address.

From runtime security to active testing

One of the recent outcomes of Noname’s strategy of listening closely to customers is the launch of Noname Security Active Testing. This makes it possible to test APIs before a developer releases them into production. This product is a direct result of a conversation Levi had with a large financial institution. “That potential customer stated very clearly that Noname would only be relevant to them if they were going to do API security testing,” Levi summarizes that conversation in one sentence. That leaves nothing to be desired in terms of clarity. If such a customer asks for something like this, chances are there is a market for it within the industry in which it operates. So Noname was basically eager to develop such a solution.

Active Testing, however, is a completely different beast from the API security that Noname had been offering customers until then. That focused on checking APIs at runtime. Basically, that’s a reactive process. That is, the Noname platform reacts to what comes along in terms of APIs. If it sees things that aren’t right, it reports them. API testing, on the other hand, is a proactive exercise. This involves testing APIs before you put them into a production environment.

Developing Active Testing was quite a step for Noname. “It wasn’t easy to develop this, we had to more or less build everything completely from scratch,” Levi points out. Because it’s such a fundamentally different process, there was virtually nothing Noname could reuse from the existing platform. Testing APIs means dealing with different actions. You have to call the API, create resources and users, something you don’t have to do in runtime security.

Conclusion: security must adapt

Active Testing is a good example of shift-left. By allowing developers to work only with demonstrably secure APIs, you bring security back a little closer to the source. Even further to the left doesn’t make much sense, according to Levi. You could include it in your IDE, but then you have to ask yourself what this gets you at the end of the day. “You then only get insight, not good feedback,” he argues. Often, IDEs include a lot of things anyway that never make it into production. So it might actually become an obstacle for developers. It then mainly gets in the way during development. “Developers are very much focused on what something brings to the business, not so much on security requirements,” he summarizes.

At the end of the day, there will always be some friction between business and security. “Shift-left is an interesting development, but security will never become more important than the business,” Levi states toward the end of our conversation. That’s something security vendors must also be keenly aware of themselves: “Security must adapt and ask the question of how it stays relevant.” That is exactly what Noname Security does. It listens to customers’ needs and, if necessary, addresses those. This approach will ensure that Noname Security will remain relevant for the foreseeable future.