Escape vs Noname Security (recently acquired by Akamai)

Noname (recently acquired by Akamai) has been a major player in the API security market for the past couple of years. However, many security professionals have voiced their frustrations with the tool. This disappointing experience has led them to question whether any current API security solution can meet their needs.

How can Escape create a better API security solution? We'll let you judge if we're better by comparing time to value. In this article, we'll show why and what makes us different than Noname.

When it comes to API discovery and security, choosing the right tool can significantly impact your organization's ability to protect its sensitive data.

Below you’ll find an in-depth comparison between Escape and Noname Security across the entire API security workflow - from API discovery to remediation. We focused on key differences between those two tools. If you want to get a quick recap and an infographic that you can download and share with others, jump to the last section.

As Noname doesn't have publically accessible documentation, we've built this comparison based on the following sources:

• Noname official website
• Noname publically accessible demos on YouTube
• Feedback from security professionals (whether Noname's and Escape's current customers or not)
• Feedback from an independent industry analyst

API Discovery

You can't secure what you can't see, so the faster you get to see what are the APIs exposed on the internet, the more you reduce the risk of API security breaches.

Escape is built to help you get the value out of it in the shortest time possible. It allows you to discover your APIs within a matter of minutes. Escape uses a sophisticated combination of subdomain enumeration, AI-powered fingerprinting, and OSINT techniques to identify and inventory APIs. This ensures that all APIs, including those not actively in use, are discovered and documented.

Noname relies heavily on traffic-based analysis for API discovery. This method examines network logs to identify APIs, which means it can only detect APIs that are already part of your network traffic. This approach can miss dormant APIs or those not frequently accessed, for example, located outside of API gateways, WAFs or proxies, leading to incomplete visibility.

And it's not that easy to deploy. To be able to start discovering APIs with Noname, you need to deploy Integrated Engine and potentially Remote Engine that can inspect API traffic. Noname has a large ecosystem of integrations, but you don't want to wait till you can plug the ones you need.

With Escape, to get started all you need is to put in your main domain name, so you can build inventory without any intervention from the development team, which is not necessarily the case when you need to deploy traffic-based API discovery tool. Simplified deployment processes minimize the need for specialized knowledge and extensive internal resources.

Once you've discovered all your exposed APIs, you can enrich the data discovered and classified in API inventory by connecting with your developer tools like Postman, GitHub, and GitLab, cloud platforms like AWS and Azure and gateways like Apigee, Axway, Kong Gateway and Kong Connect and Mulesoft. To scan internal APIs behind your organization's firewall or VPN, you can connect Escape's repeater proxy.

API Security

Once discovery is done, it comes down to API security testing.

Noname requires manual upload of API schemas to start scans as they precise in this demo, as it doesn't automatically generate schemas. In contrast, Escape uses a proprietary machine learning algorithm to automatically reconstruct API schemas, enabling context-aware scanning that can be initiated right away.

Noname provides API security by generating detection alerts based on baselines. These alerts can be effective in demonstrating potential issues but often result in a high number of false positives. The alerts are primarily based on network traffic analysis, which means they can detect exploits in real-time but might miss more nuanced security issues. Response actions often involve manual WAF rule creation, which can be time-consuming and inefficient.

Escape relies on its proprietary feedback-driven Business Logic Security Testing algorithm. It excels in detecting even complex business-logic vulnerabilities, especially in modern API types like GraphQL. Escape's algortihm addresses this complexity by autonomously generating legitimate traffic to test API's business logic.

Through techniques like Sourcing Inference and Strong Typing Inference, Escape ensures the accuracy of generated requests, while integration with generative AI enhances adaptability, particularly in complex attack scenarios.

Escape’s testing is more thorough and provides clear, actionable insights without the noise of false positives.

Testing Capabilities

Noname’s testing capabilities are limited and often require full application deployment. It does not support custom security tests, which can be a drawback for organizations needing tailored security solutions.

Additionally, its business logic testing for GraphQL is limited, and secret detection is only available in repositories.

Escape offers extensive testing capabilities, including custom security tests. These features allow for more detailed and specific security assessments, tailored to your unique needs.

Escape’s business logic testing for GraphQL is robust, and it includes comprehensive secret detection across various environments, not just repositories. Here is the full list of secrets that can be detected by Escape.

This thorough approach ensures better security coverage and more reliable protection.

Response and Actionable Insights

One significant issue with Noname is its lack of a structured approach to prioritizing vulnerabilities.

Without a clear system for ranking vulnerabilities based on their business impact, organizations may find it challenging to determine which threats to address first, leading to inefficient use of resources and potential oversight of critical issues. The response process with Noname can be cumbersome, as it involves creating WAF rules based on detection alerts. These alerts can be overwhelming, leading to alert fatigue and potentially missed critical issues.

Escape, however, offers a distinct advantage with its vulnerability prioritization funnel. This feature automatically identifies and prioritizes business-critical vulnerabilities, ensuring that the most significant threats are addressed promptly. In addition, it clear shows each application's code owner.

By streamlining the prioritization process, Escape enables security teams to focus their efforts where they matter most, enhancing overall security and providing peace of mind that critical vulnerabilities are being effectively managed.

Noname also does not provide actionable code snippets, which limits the immediate applicability of its findings and may cause frustrations among developers.

Escape provides clear, actionable insights with detailed code snippets that developers can use directly. This feature speeds up the remediation process and ensures that security issues are addressed promptly and effectively.

Each code snippet can be tailored specifically to your development framework. Don't you think your developers will appreciate more someone who speaks their language?

Ease of Use and Integration

It's important, of course, that once deployed, it's easy to use the tool.

Noname’s system is straightforward for network engineers to understand and implement. However, it requires a complete application deployment and manual log ingestion from staging environments. Changes in schemas need to be manually uploaded, adding to the administrative burden. The tool also lacks features like actionable code snippets, which can limit its usability and integration with modern development workflows. So, even in the long run, combination of all of this manual work can lead to a lot of frustrations.

Escape stands out with its user-friendly interface and automated processes. It does not require manual schema uploads or extensive setup procedures. The tool integrates seamlessly with existing workflows, providing continuous and automatic updates to schemas and security tests. Escape’s agentless schema generation and actionable remediation code snippets make it a more efficient and effective tool for maintaining API security.

Recap: Pros and Cons

Side-by-side comparison table

Noname Security

Pros

• Easy to understand for network engineers (though the learning curve might be steeper for security engineers with another background)
• Focuses strongly on helping to ensure regulatory compliance.
• Since they’re looking at API traffic, they’re able to detect exploits in runtime, but it only helps to adapt a reactive approach.
• The findings from Noname may appear to be real detection events, but they are often quite basic, such as merely checking if an authentication header is present.
• Noname covers a broad range of API types.

Cons

• Setup time: The customization process can be time-consuming, requiring more upfront investment in setup. Testing requires full application deployment first, as well as ingesting logs from your staging or lower environments.
• If your primary concern is detecting APIs, being reliant on network logs doesn’t really solve your problem, as it requires them to be behind your normal network flows in the first place! This is because network logs can only capture traffic that is actively passing through your network. Therefore, they can only detect APIs that are already being used and generating traffic. You're at risk of missing exposed and vulnerable Shadow APIs.
• Detection alerts are heavily based on baselines, which makes them very noisy and full of false positives.
• Testing requires manually uploading schemas when they change - it doesn’t automatically detect them.
• Response actions are incredibly cumbersome - you get drowned in these alerts and then respond by building WAF rules.
• You can't accelerate the remediation process because of the lack of actionable remediation code snippets for developers.

Escape

Pros

• Exceptional ability to discover even Shadow APIs in minutes by scanning exposed source code, reducing the time to value and risk of overlooked vulnerabilities
• Automated schema generation that helps you to launch scans right away and reduces the need for maintenance
• In-depth GraphQL testing capabilities and lowest false-positive rate
• Ability to prioritize the most critical API by business context, data sensitivity, and exposure.
• Actionable remediation code snippets for developers that help you build better relationships with them
• Effortless custom checks integration to automate security tests tailored to specific APIs

Cons

• Advanced feature sets may require specialized knowledge
• Number of integrations with some of the operational tools

Conclusion

While Noname offers a solid traffic-based API discovery and security solution, it falls short in several key areas such as comprehensive API discovery, detailed testing capabilities, and actionable remediation.

The Akamai acquisition makes total sense because it’s bolstering their API WAF capabilities; however, their testing was already very manual and unusable, and being acquired has never made anyone work faster. Most companies using something like Noname Security still buy something like Escape as an addition because the testing and discovery capabilities are so weak. Thus, you can avoid this by simply integrating Escape right away into your API security program.

Escape provides a more holistic and automated approach to API discovery and security. Its focus is on agentless API discovery, automated schema generation, advanced security testing, and actionable insights for developers.

If you still have doubts, take a moment with our team and see directly during a demo what APIs your organization left exposed.

💡Want to learn more? Discover the following articles:

• Reinventing API security: Why Escape is better than traditional traffic-based tools
• Escape vs Burp Suite Enterprise
• Escape vs StackHawk