Corsha announced a $12 million Series A funding round. Ten Eleven Ventures and Razor’s Edge Ventures co-led the round that included participation from 1843 Capital.
Organizations are increasingly relying on cloud infrastructure to scale their applications and services. The sheer number of APIs per organization is skyrocketing, and with that, so is the number of potential vulnerabilities. A GitGuardian report published last month found that organizations leaked more than 6 million passwords, API keys, and other sensitive data in 2021, double the number from the previous year. Gartner predicts that API attacks will soon become the most prevalent attack vector for causing data breaches for enterprise web applications.
With partners like Dell Technologies, Corsha offers a platform to secure communication in both on-premises and cloud environments. “By taking an identity-first approach to API security, Corsha provides a much-needed layer of security for how organizations must manage service-to-service communication. Corsha offers all the goodness of MFA to protect the communication between the APIs, as well as the machines that access them,” said Chris “CT” Thomas, Technical Strategist in the Office of the CTO at Dell.
Corsha’s proprietary technology enables security teams to cryptographically assign dynamic identities to a set of trusted machines and pin API access to only those machines. Through this innovative approach to machine identity and MFA for APIs, Corsha eliminates security vulnerabilities in machine-to-machine communication, enabling a zero-trust API security posture in cloud-native environments for north-south or east-west APIs.
Corsha co-founders Chris Simkins and Anusha Iyer have extensive experience supporting national security programs and have seen firsthand the security threats that insecure APIs pose to organizations.
“API secrets are used as proxies for machine identities: ideally, each machine needs its own secret. But these secrets are routinely shared between machines and are leaking into code repositories or CI pipelines at an alarming rate. They are rarely rotated and are often set to never expire,” Iyer explained. “The more we automate our application development and deployment processes, the more risk moves from human to machine. It is more important than ever to have clear visibility into the machines accessing APIs and to be able to control access seamlessly,” added Simkins.
API-first ecosystems are powered by the machines that power them. Whether it’s pods, containers, virtual machines, physical servers, IoT devices, or other Kubernetes form factors, securing API communication between services often becomes an afterthought. According to Gartner, “API security challenges have become a top concern for most software engineering leaders, as unmanaged and unsecured APIs create vulnerabilities that could accelerate software security incidents.” several million dollars.” The API management market is expected to be worth $13.6 billion by 2028, growing at a compound annual growth rate (CAGR) of 29% percent from 2021 to 2028, according to Verified Market Research. Current estimates put the cost of data breaches at more than $10.5 trillion annually by 2025.
“The Corsha team has a unique perspective and insight into how the API security and machine identity markets are growing and evolving, and their technology is set to revolutionize the way businesses think about managing API traffic. and machine authentication,” said Mark Hatfield, Founder and General Partner of Ten Eleven Ventures. “We are very excited to invest in Corsha to accelerate its growth and continued product development.”
Today, if an application or service wants to make an API call, it often leverages a primary authentication factor, such as a PKI certificate, JSON web token, or OAuth token. Corsha fortifies that API request with a one-time MFA credential that is created from the machine’s dynamic identity and checked against a cryptographically verifiable distributed ledger network (DLN). The API request is only accepted if there is a match between the MFA credential and the identity of that machine in the DLN. If a log management system identified a potential security event, a security operations center (SOC) could easily use Corsha to revoke API access for a specific machine or group of machines without impacting other workloads.
Corsha recently released an API Security Scorecard to help organizations measure their API security posture through a series of simple questions. Corsha plans to use the new funding to invest heavily in API discovery and observability, integrations across the API ecosystem, and open source tools to help application security teams stay ahead of the API attack surface.