APIs — The New Frontier in Observability and Security.

Guru Chahal
Dec 15, 2020 · 5 min read

You can’t secure what you can’t see — time to shine a light on APIs

Image for post
Image for post
Pictured (left to right): Noname Security Co-founders Oz Golan and Shay Levi.

Over the last several years, we’ve witnessed the rapid rise of APIs as the defacto interface for applications. New services and platforms are often developed with an API-first design philosophy with the APIs as the first class interface and the UI and/or CLI built on top of that API. The underlying reasons for this trend are simple:

  • Automation: APIs make it a lot easier to automate the day to day.
  • Componentization: Breaking down an application into multiple services communicating over APIs has benefits in both development and operations.
  • Unification: You can have a single API serve multiple interfaces: web, mobile, tablet etc.
  • Simplicity: APIs are essentially stateless channels to data and so they are faster and easier to develop.
  • Collaboration: APIs enable business collaborations in a unified way with minimal friction.
Image for post
Image for post
User-to-Software interaction decreasing while Software-to-Software interaction increasing.

However, this direction is not without its challenges. With the rise of APIs, the surface area of potential security flaws, data leakage or compromise has also increased.

Understanding The Core API Challenges

We know we have tens of thousands of APIs, but we don’t have a complete understanding of:

  1. How many APIs are being used? Do I have a “Shadow APIs” problem? Any deprecated APIs still in production?
  2. How are my APIs being used and what data is being shared across them?
  3. Which ones present the most critical security challenges? And,
  4. What to do about those?

To us at Lightspeed, this feels similar to what we were hearing from customers earlier this decade regarding their use of SaaS applications. That lack of visibility into SaaS usage and associated risks led to the rise of the CASB market and iconic companies like Netskope (LSVP portfolio company). Similar lack of visibility in container based environments led to the rise of fast growing companies like Aqua Security (LSVP portfolio company). There is now an ongoing struggle within enterprises to track the rise of APIs and “Shadow APIs” and evaluate and address associated security risks.

Existing security controls are largely API blind and operate either at L3/4 of the network (IP address, domains, network segment based), or are focused purely on web applications (Web Application Firewalls). These products fail to provide visibility into the APIs and their usage, and are thus unable to provide an assessment of risk or help with mitigation of those risks. Newer attempts to solve the problem have built their entire architecture on the premise that organization’s APIs are all routed through a centric API Gateway — a premise that turned out to be false in all organizations we have examined.

Building a Comprehensive Platform for API Security

  1. OBSERVE: Discover all the APIs in your infrastructure, provide visibility into API calls across applications.
  2. ORIENT: Monitor and detect anomalous behavior at the API level, for both API requests as well as responses that may be leaking sensitive data to malicious actors.
  3. DECIDE: Decide which APIs are the most critical ones to fix using risk scores
  4. ACT: Assess which recommendations to implement to secure the APIs

This is the same OODA loop that has become a core framework among security practitioners (with roots in military strategy).

The platform is architected for seamless and easy insertion into a company’s existing application stack and to deliver visibility and results within minutes — no application changes, no changes to the deployment, nothing inline. In our customer calls, security teams loved this aspect of the platform.

One CISO compared the first few minutes after installation to the moment in Matrix when Neo sees the code and truly understands what’s going on!

Image for post
Image for post

The platform then ingests this raw data, and uses ML/AI to infer and reconstruct all of an application’s APIs calls, their structure, and the associated data, to build a real-time graph of an application. Once installed with a few clicks, the platform provides deep visibility into APIs and sensitive data, provides actionable insights, and allows granular policy definition.

Rapid Enterprise Adoption

Today, we are announcing Lightspeed’s investment in Noname Security — leading their $25M Series A round. I’m thankful for the opportunity to be able to partner with this amazing team. We are watching the birth of a brand new category as the use of APIs continues to grow exponentially and the associated risks grow commensurately. The team is hiring rapidly across every function — sales, marketing, and engineering — please check out more details here: Noname Security and ask them for a demo. Whether you are an enterprise team trying to get a handle on your APIs, or a future team member, Noname would love to hear from you!

By Guru Chahal

Lightspeed Venture Partners

Lightspeed is a multi-stage VC firm focused on accelerating…

Guru Chahal

Written by

Enterprise Partner @LightspeedVP , Founder, Product Exec. Focus: Automation, Cloud, Security, Infra, DevOps, Observability. https://linkedin.com/in/guruchahal

Lightspeed Venture Partners

Lightspeed is a multi-stage VC firm focused on accelerating disruptive innovations and trends in the enterprise and consumer sectors. In the past two decades, Lightspeed has backed 400 companies and currently manages $10.5B across the global Lightspeed platform.

Guru Chahal

Written by

Enterprise Partner @LightspeedVP , Founder, Product Exec. Focus: Automation, Cloud, Security, Infra, DevOps, Observability. https://linkedin.com/in/guruchahal

Lightspeed Venture Partners

Lightspeed is a multi-stage VC firm focused on accelerating disruptive innovations and trends in the enterprise and consumer sectors. In the past two decades, Lightspeed has backed 400 companies and currently manages $10.5B across the global Lightspeed platform.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store