Noname Security gets $135M to ‘proactively’ lock down APIs

API protection startup Noname Security, which today disclosed a $135 million series C funding round at a post-money valuation of $1 billion, said it has landed customer engagements with 20% of the companies in the Fortune 500 during its first year in the market. The company’s platform brings powerful capabilities for “proactively” remediating API vulnerabilities, along with offering rapid deployment thanks to its agentless and cloud-native approach, Noname cofounder and CEO Oz Golan told VentureBeat.

Using a broad analysis of configurations, traffic, and code, the Noname platform detects and prevents potential exploits of API vulnerabilities in real-time, according to the company. The platform also offers the ability to discover and remediate misconfigured APIs on a proactive basis, protecting customers against the theft of sensitive data, Noname says.

Meanwhile, the platform’s ease of installation, compared to products that require agents or proxies, is “part of the reason why we’ve managed to scale up this fast,” Golan said in an interview.

Noname and its API security platform launched out of stealth in December 2020. Among the Fortune 500 companies now using the platform are two of the world’s five largest pharmaceutical firms, one of the world’s three largest retailers, and one of the world’s three largest telecoms, the company says.

API insecurity

APIs, or application programming interfaces, have become increasingly essential for enterprises as they seek to become digital businesses. The software serves as an intermediary between different applications, allowing apps and websites to access more data and gain greater functionality.

However, cyber attackers have taken notice, and APIs have quickly turned into a popular target. Several API security vendors have reported a surge in API-based attacks during 2021. And by 2022, the vast majority of web-enabled apps — 90% — will have more surface area exposed for attack in the form of APIs than via the human user interface, according to Gartner research.

“I think attackers are seeing that APIs are not overly complicated to attack and to compromise,” said Karl Mattson, chief information security officer at Noname Security, in an interview with VentureBeat in November.

‘Leaky’ APIs

The most frequent API-based attacks involve exploitation of an API’s authentication and authorization policies, he said. In these attacks, the hacker breaks the authentication and the authorization intent of the API in order to access data.

“Now you have an unintended actor accessing a resource, such as sensitive customer data, with the organization believing that nothing was awry,” Mattson said.

This so-called “leaky API” issue has been behind many of the highest-profile breaches related to APIs, he said.

Another issue is that API calls are now being used to start or stop a critical business process — for instance, a broadcasting company that initiates a broadcast stream or a power company that turns a home’s electricity on or off using an API call, Mattson said. That level of dependence on APIs raises the security stakes even further, he said.

Product plans

To proactively analyze and secure APIs, Noname’s platform heavily uses AI-driven automation, Golan said. For instance, by using AI, the platform can create a baseline for the typical behavior of an API. And if there’s ever a deviation in that behavior, the platform can alert and take action—”completely automatically,” Golan said.

“So it’s actually helping organizations to protect themselves not only from the known issues, but also from the unknown, which is super crucial,” he said.

Looking ahead to 2022, Noname plans to enhance its platform with additional security features to assist developers, according to Mattson. A new “active testing” module will perform vulnerability checks, source code testing, and configuration checks prior to an API’s release—allowing customers to fix any vulnerabilities prior to release into production, he said.

“So where we started as a runtime offering, now that active testing will allow us to go earlier in the lifecycle,” Mattson said.

Unicorn status

With the new funding round and valuation, Noname said it has become the first company focused on API security to achieve a billion-dollar “unicorn” valuation.

The series C round was led by Georgian and Lightspeed Venture Partners. Other participating investors included Insight Partners, Cyberstarts, Next47, Forgepoint Capital, and The Syndicate Group.

The funding will go toward expanding the company’s go-to-market and R&D teams. Noname currently employs 200.

The company, which had most recently raised a $60 million series B round in June, has now raised $220 million in funding to date. Noname was founded by Golan and chief technology officer Shay Levi, both formerly of Unit 8200 of the Israeli Intelligence Corps.