Washington, DC-based API security company Corsha has raised $12 million in a Series A funding round led by Ten Eleven Ventures and Razor’s Edge Ventures, with participation from 1843 Capital.
The funding will be used to grow the company’s team and expand its marketing capabilities, increase its partnerships with other companies (such as Venafi), and bring new technologies on board. Global expansion will be based on developing relationships with partner organisations, a process that is already underway in Europe.
“It will also be used in part to develop an API security assessment tool that will be freely available for companies to get a snapshot view of their current API security posture.” corsha CTO and co-founder Anusha Iyer said safety week.
He noted that the nature of its product allows the company to collect large volumes of data in daily machine-to-machine communications, and the company intends to analyze this data and make it available to its customers.
The growth of the cloud, digital transformation, and automation has fueled a dramatic increase in the use of APIs, and with that comes an increase in machine-to-machine communications. This has created a major new security issue in machine-to-machine identification and access management.
The core of the Corsha platform is a distributed ledger system. Corsha uses this as an out-of-band element in machine-to-machine MFA generation and usage. “The process is analogous to Google Authenticator,” Iyer explained. “In one direction, you stay in sync with a seed on Google’s servers, while in the other direction you use it to verify MFA credentials.”
When the client has a machine that needs to be marked as trusted, the Corsha authenticator is implemented on that machine. “The authenticator has a unique seed at implementation time,” Iyer explained. “It comes online and establishes a dynamic identity with the ledger network by sending a crypto heartbeat to the ledger. The time is configurable, but every few hours it will send a new beat. This builds on the previous one, so over time it forms a chained, dynamic trusted identity for the authenticator. Only the most recent heartbeat is used to create the credentials, but the full history is kept by the ledger for auditing.”
The company sits at the intersection of API and zero trust, and can provide the MFA and IAM aspect of zero trust in the world of automation. While the technology has potentially broader applications, the company is firmly focused on the machine-to-machine IAM problem. Expansion into the IT/OT communications space is possible while remaining within the company’s core competency arena.
Because Corsha leverages its distributed ledger system, a new and unique MFA “token” is generated and used for each new machine-to-machine communication. The overhead is minimal, Iyer claims that she adds no more than a few milliseconds to the login process.
This eliminates one of the main security weaknesses in current API use: theft or loss of static secrets. A March 2022 GitGuardian report found that organizations leaked more than 6 million passwords, API keys, and other sensitive data last year, twice as many as the year before. Gartner predicts that API attacks will soon become the most prevalent attack vector causing data breaches for enterprise web applications.
“API secrets are used as proxies for machine identities: ideally, each machine needs its own secret. But these secrets are routinely shared between machines and are leaking into code repositories or CI pipelines at an alarming rate. They are rarely rotated and are often set to never expire,” Iyer explained.
One of the system’s strengths, CEO and co-founder Chris Simkins added, is that it prevents hackers from spoofing workload, the API equivalent of stealing a laptop or phone. “We’ll catch them and just shut them down without even having to touch the rogue ‘device’. The more we automate our application development and deployment processes, the more risk shifts from human to machine. It is more important than ever to have clear visibility into the machines accessing APIs and to be able to control access seamlessly,” added Simkins.
If the communication attempt is made without the current unique MFA token, it is simply blocked. “If the MFA fails, the API call fails,” Simkins said. safety week. This is automatic. The logs provide an alert to the SOC team and security engineers can investigate the problem with the calling device. However, if the SOC team has other concerns about a device, they can manually notify the Corsha platform and further API calls from that device are blocked, providing instant mitigation for suspicious behavior.
Related: The Next Big Cyber Attack Vector: API
Related: Salt Security emerges from stealth with an API protection solution
Related: UK-based API security firm 42Crunch raises $17 million
Related: Researchers find dozens of AWS APIs leaking sensitive data