“Active Testing can detect security vulnerabilities in APIs regardless of who created them. So, if users generate APIs using GPT tools and run our testing suite, our platform will effectively identify and assist in resolving any issues found.“
Hi, Filip. Welcome to the Technology Interview Series. Please tell us about your journey in the technology industry and how you started at Noname Security.
I started in IT over two decades ago on the customer side and soon after moved into consulting through a value-added reseller (VAR) because I was intrigued by the new innovations being introduced at the time. I joined my first IT vendor in 2007 and haven’t looked back since. Working for fast-paced innovative startups is very much in line with my interests as you get to solve really interesting and challenging customer problems. I also feel that early startup employees are more concerned about the mission than their own agenda and customers always come first.
Please tell us a little bit about the latest offering.
Noname Security recently released the next major version of our API Security Testing suite called Active Testing. This solution focuses on helping developers create secure services (through APIs) for their organizations more quickly and confidently. Today, speed to market is of the utmost importance, and if we can deliver speed hand-in-hand with security, we have cracked a real tough nut for our customers.
What kind of problems do you usually solve for your internal stakeholders?
As an international organization full of very intelligent people working on many projects simultaneously, I have an aversion to slowing things down for a committee-based approach. I like to believe that I help get things unstuck and done, which I model after Bill Westerman’s GSD approach, which values simplicity and advocates for focusing on the tasks at hand rather than on the task of organizing.
What is the most fascinating aspect of working in API security testing? How has the industry changed in the COVID era?
The aspect I find most fascinating is the large disconnect between what people believe their existing security testing tools can do and the reality of the situation. Most existing tools like SAST and DAST make users believe they have no major issues if they run them against their API estate. This is because they are simply not equipped to understand these modern application concepts, and if an API penetration tester were employed, users would find a myriad of issues. Security and IT teams need to approach APIs according to their own specific properties. Today, APIs handle a majority of traffic and data exchange but users are still blindly trusting them until it is too late, which is why organizations are being inundated and increasingly experiencing public API breaches.
Could you tell us about the major challenges that DevOps face in the post-COVID era?
We have created quite a bit of work for the DevOps teams, making them responsible for a very broad set of issues. We either need to automate the boring parts of their job or accept dealing with a demotivated set of employees letting things slip through the net. Security is a great example of this. Organizations should consider these when considering and incorporating new processes and technologies into their existing tools and workflows, but organizations need to ensure it is done without putting too much additional burden on DevOps teams.
How does software security testing align with the cybersecurity intelligence and threat landscape? Any unique case study that you would like to share with our readers:
API security testing specifically highlights the often hidden attack vector that APIs have become. 83% of internet traffic is said to be API-based, and yet organizations and security teams continue treating them as traditional web applications and use tools not fit for purpose. We should pull APIs in as part of our defense-in-depth strategies.
What are the core features of Active Testing V2? Can it detect malware codes written by malicious GPT tools?
Active Testing can find security vulnerabilities in APIs independent of their author, and thus, if users ask GPT tools to create APIs and then run our testing suite against them, our platform will absolutely find those issues and help you remediate them. It can also set users up for success in terms of building API security best practices which teams could subsequently use as input for GPT-like tools and approaches.
Why do DevOps teams leave the APIs untested? How can untested apps result in cloud security vulnerabilities?
The attack vectors organizations have to deal with are vast and varied. APIs have been passing under the radar for far too long and causing data breaches for major corporations. Once we recognize APIs as the newest, and potentially, largest attack vector, we can start to address these issues more programmatically.
Do you have an AI roadmap in place for managing Infosec and cyber security at Noname Security?
Yes, in fact, we already employ ML and AI in many parts of our suite to identify malicious behavior in API usage so users can easily identify attackers and block them while buying the time needed to implement any particular root cause remediation. Security is becoming increasingly a superhuman problem with too many signals vying for attention. Guided AI-driven remediation will cut down on the workload and avoid things slipping through the cracks.
- Burn the midnight candle or soak in the sun?
- Burn the midnight candle, but I do also swear by my daily run to clear the mind. Nothing clears the to-do list like uninterrupted work when the rest of the household and the majority of your colleagues are asleep.
- Coffee, or Tea?
- Coffee, and lots of it!
- Your favorite Noname Security offering that you want everyone to know about?
- Recon, which provides a completely frictionless (nothing to install, nothing to integrate) way to get insights into your external API attack surface.
- First memorable experience in your career as a technology leader?
- My first big keynote. I’ve had many since and have even had the opportunity to do a keynote with Microsoft CEO Satya Nadella, which despite being virtual, was a surreal experience for me.
- One thing you remember about your employee (s):
- I still remember hiring my first employee as a hiring manager many years ago. I like to look for people that don’t fit a standard mold, give people a chance and they will always surprise you.
- Most useful app that you currently use:
- I’m always flying around the world and dealing with changing travel plans and delays. Flighty keeps me up to date and sane.
Thank you, Filip ! That was fun and we hope to see you back on cioinfluence.com soon.
Noname Security provides the most complete, proactive API Security solution. Noname works with 25% of the Fortune 500 and covers the entire API security scope — Discovery, Posture Management, Runtime Protection, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and an office in Tel Aviv.