Akamai Technologies completed its acquisition of Noname Security for about $450 million, which along with its earlier Neosec buy marks Akamai's efforts to expand its API security offerings amid increasing threats and customer demand.
APIs are at the foundation of most modern applications, enabling services from different locations to be integrated into a platform. As a result, APIs become one of the most attractive vectors for attackers in recent years. Akamai’s data shows that API attacks are increasing by 109% year over year.
“The APIs became the connected tissue of this hyperconnected digital economy that we live in, and it fits very well in the Akamai broader vision because we are all about protecting and securing the applications, and APIs are the sort of extension of that,” Rupesh Chokshi, SVP & GM of application security at Akamai Technologies, told SDxCentral.
Enhancing API Security capabilities with Noname Akamai’s acquisition of Noname followed its earlier purchase of Neosec, an API detection and response platform based on data and behavioral analytics.
“The Noname acquisition comes in from the lens that we've been in the market for a year or so because we had a previous acquisition of Neosec,” Chokshi said. “Entering the market, we saw a lot of customer adoption [across] different industries or verticals. Noname has a broad, vast product platform, lots of integration, deployment model, ease of use, a great user experience, etc.”
Chokshi admitted Noname and Neosec have “some level of product overlap.”
Neosec’s API security platform is designed to secure customers’ APIs by helping them discover all of their APIs, assess their risk and respond to vulnerabilities and attacks.
Noname also helps customers discover “shadow” APIs — undisclosed ones that might be vulnerable to attacks. It also offers shift-left API testing; flexible deployment across cloud-hosted, self-hosted, hybrid and distributed instances; and provides a broad range of collection of integrations, including Nginx, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), F5 Networks, Apigee and MuleSoft.
Akamai plans to build a unified platform based on the Noname platform that utilizes insights and capabilities from the Neosec deal.
“Going forward product platform is the Noname platform,” Chokshi said. “We are already starting to do the ‘better together’ work where we have certain things that we are bringing together. For example, we will in a few weeks launch a native connector where we can take all the Akamai’s customer traffic and data and seamlessly bring into the Noname platform for discovery, visibility, etc.”
Akamai aims to offer a complete API Security solution Chokshi said that one of the key values of a platform is offering a complete API Security solution that covers the entire life cycle, which includes four pillars: API discovery, posture management, runtime detections with real-time analysis and API testing during the development phase.
He highlighted the shift-left testing that incorporates API testing into the CI/CD pipeline to ensure that issues are resolved before the API is released into production. “The main purpose is to find and remediate the vulnerabilities” in the pre-production environment before they can be exploited, Chokshi explained.
Why a WAAP platform is not enough to address API attacks Akamai also noted that web application and API protection (WAAP) platforms can’t solve all types of API attacks, falling short of providing the visibility and depth of API security. That’s one reason why the WAAP leader is integrating with Noname and Neosec to advance its API Security solution.
“API security requires a little bit more of maybe a camera and watching everything that is happening,” Chokshi said, adding that API Security use cases can vary from API abuse and API vulnerability attacks to web and internal application issues.
“All of these applications that are running on top of it are calling different APIs to invoke functions within the network. So we start getting to so many expanded use cases and that's why I think the WAAP is an important capability, and customers have it and should continue to have it,” Chokshi said. “I think the attack surface and problem solving that we need to do with API security is slightly different and broader.”