Making its name: Noname Security surges solving API vulnerabilities

Co-founder and CTO Shay Levi discusses why the company became focused on APIs and where he wants it to be in five years

Daniel Farber-Ball 12:0424.10.21
“You cannot develop your idea in a vacuum. You have your own perception, but eventually, you have to meet the customers and hear things from them,” said Shay Levi (30), CTO and co-founder of cybersecurity company Noname Security. “When we started the company we went through a process called a sunrise process. It is a process that Cyberstarts, the first VC to invest in us, likes to do with its news companies. The concept is you have a certain idea of a problem you would like to address, and well, the VC has a large network of contacts and so we flew to meet some of them and we just discussed the problem and wanted to hear their feedback.”


“And I think that really helped us to zoom in on API security,” Levi continued. “Because it came up a lot. They said, ‘Yes, it is a big problem. The current solutions are not enough and we are looking for a better solution’.” So Levi and his co-founder, Noname CEO Oz Golan went to work.

Noname Security co-founder and CTO Shay Levi. Photo: Yossi Zeliger Noname Security co-founder and CTO Shay Levi. Photo: Yossi Zeliger


Focused on Application Programming Interface (API) security, they founded their company less than two years ago, which to date has raised $85 million. The company has about 150 employees worldwide and its clients include two of the largest pharmaceutical companies in the world, one of the largest banks in the world, and one of the biggest retailers.


“​​When you write software that needs to access information online, it cannot consume it the same way people do, it needs it in a structural form. That is what API comes to serve, providing information to different software,” Levi explained. “All the software to software connectivity for the past 15 years is basically only API.”


If we are trying to simplify things, an API could be described as a software intermediary which enables software to communicate with one another. For example, a company’s website could use a Google Maps API in order to provide direction to the office, or a closed bank system would use an API to gather its clients’ information. It could be described as a gateway to information.


However, faulty APIs were named as causes for recent cyber attacks and data leakages, including the Experian and Peloton revelations from earlier this year, and the 2017 T-mobile 2018 Google+ scandals, all of which had massive amounts of data leaking affecting millions of users worldwide. “When an API is vulnerable, I can pull out data in mass from that organization,” Levi clarified. “So it is mainly, not only, but mainly around data security and leakage, a vulnerable API usually leads to data leaks.” Recently, American technology research and consulting company Gartner predicted that “by 2022, application programming interface (API) attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.”


“After seeing this report from Gartner we understood that the problem is going to be massive and there will be a massive need, so we moved really fast,” he said. “What is happening is that most companies now or by 2022 are expected to have some engagement with or some product for API security. So it creates a massive need. We grew as fast as we did because we had to, and we feel the demand.”


What do you hear from your clients and potential clients about their API? What kind of assistance do they ask for?


“First of all, that their API is mission-critical because every important pipeline in their organizations has an API involved in it, because there are two pieces of software, even in the same organization, that are communicating through that channel. Second, that the organization is scattered, they have AWS accounts, GCP accounts, they have a data center over there, and one over there, they have some sites in China, they are all spread around and are not sure where their APIs are. Third, they said API changes so fast. API became so quick, every single developer in a company can develop an API in 15 minutes. Business pushes hard to create more partnerships and deploy a new API for this partner and a new one for that partner, more and more APIs are created and security is lagging,” Levi stated. “These were the three pain points we recognized, they do not know where they are, they do not know what they are doing and they keep changing very fast.”


When discussing the Israeli ecosystem in general, and the cybersecurity sector in particular, Levi has a very clear image of what Noname’s place is within it. “Noname, I think, grows too fast and too successfully for it to be acquired. Our trajectory is extremely fast, we were founded a year and a half ago, and it is going well so I do not think we can be considered for being acquired, and in my eyes it is unlikely. Eventually, we will go for an IPO, every company that gets big enough goes for one, I do not know how big it will get afterward but we will get there.”


“In five years, Noname will not only be doing API security. We will still be the leader of API security but will not be doing just that. We know where we want to go,” he added.