Noname Security review

This review covers a self-service API security scanner that emphasizes black-box analysis without requiring agents, SDKs, or code access. The tool accepts a target URL and returns a letter-grade risk score with prioritized findings within approximately one minute. It focuses on read-only testing, supporting GET and HEAD methods plus text-only POST probes for LLM discovery, and claims coverage aligned to the OWASP API Top 10 (2023).

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023), including Authentication bypass and JWT misconfigurations such as alg=none, HS256 use, expired tokens, missing claims, and sensitive data in claims. It tests for BOLA and IDOR via sequential ID enumeration and adjacent ID probing, and BFLA through admin endpoint probing and role/permission leakage. Property over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, and rate-limiting characteristics are assessed. Data exposure checks include PII patterns, API key formats, and error leakage. Infrastructure safety blocks private IPs, localhost, and cloud metadata endpoints at multiple layers.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and Cookie credentials, gated by domain verification via DNS TXT records or HTTP well-known files. Only a restricted allowlist of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Deliverables include a Web Dashboard for scanning, report viewing, score trend tracking, and branded compliance PDF downloads. A CLI via an npm package supports single scans with structured output. A GitHub Action can gate CI/CD, failing builds when scores drop below a set threshold. The MCP Server enables scanning from AI coding assistants. Pro tier adds scheduled rescans, diff detection across scans, email alerts at rate-limited frequencies, HMAC-SHA256 signed webhooks with auto-disable after repeated failures, and expanded API coverage.

The scanner does not fix, patch, block, or remediate findings; it reports with remediation guidance. It does not perform active SQL injection or command injection testing, which would require intrusive payloads outside its scope, nor does it detect business logic vulnerabilities or blind SSRF, which rely on human domain understanding. It is not designed for high-stakes audit replacement. Findings can map to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023) through direct alignment. For other frameworks, the tool supports audit evidence collection and helps prepare for controls described in relevant standards without asserting certification or compliance guarantees.

The Free tier allows 3 scans per month with CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard features, email alerts, and the MCP Server. Pro at 499 dollars per month covers 100 APIs with incremental pricing, continuous monitoring, CI/CD integration, Slack or Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support. Pricing reflects feature differentiation across scan volume, monitoring depth, and compliance needs.