Corsha, a DC-based API security company that provides an innovative approach to securing API communication between trusted machines, announces a $12 million Series A funding round. Ten Eleven Ventures and Razor’s Edge Ventures co-led the round that included participation from 1843 Capital.
Organisations are increasingly relying on cloud infrastructure to scale their applications and services. The sheer number of APIs per organisation is exploding, and with that, so is the number of potential vulnerabilities.
Enterprise web applications
A GitGuardian report published last month found that organisations leaked more than 6 million passwords, API keys, and other sensitive data in 2021, doubling the number from the previous year. Gartner predicts that API attacks will soon become the most-frequent attack vector to cause data breaches for enterprise web applications.
Corsha provides all the goodness of MFA to secure the communication between APIs"
With partners like Dell Technologies, Corsha offers a first-of-its-kind platform to secure communication in both on-prem and cloud environments. “By taking an identity-first approach to API security, Corsha provides a much-needed security layer to the way organisations should manage service-to-service communication. Corsha provides all the goodness of MFA to secure the communication between APIs, as well as the machines that are accessing them,” said Chris ‘CT’ Thomas, a Technical Strategist in the Office of the CTO at Dell.
Cloud-native environments
Corsha’s patented technology allows security teams to cryptographically assign dynamic identities to a set of trusted machines and pin API access only to those machines. Through this innovative approach to machine identity and MFA for APIs, Corsha eliminates security vulnerabilities in machine-to-machine communication – enabling a zero-trust API security posture in cloud-native environments for north-south or east-west APIs.
Corsha Co-Founders Chris Simkins and Anusha Iyer have deep experience supporting national security programs and have seen first-hand the security threats insecure APIs pose to organisations. “API secrets are being used as proxies for machine identities – each machine ideally needs its own secret. But these secrets are routinely being shared between machines and leaked in code repositories or CI pipelines at an alarming rate. They’re rarely rotated and often set to never expire,” explained Iyer.
Seamlessly control access
API security challenges have emerged as a top concern for most software engineering leaders
“The greater we automate our application development and deployment processes, the more the risk shifts from human to machine. It’s more important than ever to have clear visibility into the machines that are accessing APIs and be able to seamlessly control access,” added Simkins.
API-first ecosystems are driven by the machines that power them. Whether those are Kubernetes pods, containers, virtual machines, physical servers, IoT devices, or other form factors, securing API communication between services often becomes an afterthought. According to Gartner, ‘API security challenges have emerged as a top concern for most software engineering leaders, as unmanaged and unsecured APIs create vulnerabilities that could accelerate multimillion-dollar security incidents.’
The API Management market is expected to be worth $13.6 billion by 2028, growing at a compound annual growth rate (CAGR) of 29% percent from 2021 to 2028, according to Verified Market Research. Current estimates place the cost of data breaches to reach over $10.5 trillion annually by 2025.
Primary authentication factor
We are extremely excited to invest in Corsha to accelerate their growth and continued product development"
“The Corsha team has a unique perspective and clear vision on how the API Security and machine identity markets are growing and evolving, and their technology is going to revolutionise how enterprises think about API traffic management and machine authentication,” said Mark Hatfield, Founder, and General Partner at Ten Eleven Ventures. “We are extremely excited to invest in Corsha to accelerate their growth and continued product development.”
If an application or service wants to make an API call, it often leverages a primary authentication factor like a PKI certificate, JSON Web Token, or OAuth token. Corsha strengthens that API request with a one-time-use MFA credential that is built from the machine’s dynamic identity and checked against a cryptographically verifiable distributed ledger network (DLN).
Application security teams
The API request is only accepted if there is a match between the MFA credential and that machine’s identity on the DLN. If a log management system were to identify a potential security event, a security operations centre (SOC) could easily use Corsha to revoke the API access for a specific machine or group of machines without impacting other workloads.
Corsha recently launched an API Security Scorecard to help organisations measure their API security posture through a series of simple questions. Corsha plans to use the new funding to invest heavily in API discovery and observability, integrations across the API ecosystem, and open-source tools to help application security teams get ahead of the API attack surface.