Corsha aims to develop solution to secure API communications

Today, DC-based API security provider Corsha announced that it had raised $12 million as part of a series A funding round led by Ten Eleven Ventures and Razor’s Edge Ventures. 

Corsha’s platform gives enterprises the ability to assign dynamic identities to trusted machines, which are then used to build one-time use multifactor authentication (MFA) credentials. 

This approach implements zero-trust identity and authentication for machine-to-machine communication, while preventing hackers from gaining API access through stolen or compromised credentials.

The company’s aim is ultimately to provide enterprises and technical decision makers with a technology they can use to reduce the API attack surface and eliminate credentials as a potential target. 

Reducing the API attack surface 

The announcement comes as organizations face an increasing number of API-level threats. Research from Q1 2022 shows that API attacks have increased by 681% over the last 12 months. 

One of the key reasons for the increase is that attackers know that most organizations haven’t been able to implement effective security controls to mitigate attacks on APIs. 

For instance, a report released last November found that in the 12 months prior, at least 44% of respondents expressed substantial issues concerning privacy, data leakage, and object property exposure with internal or external-facing APIs.

These API security threats have gone unaddressed as many organizations have attempted to rely on keys, encryption certificates, and tokens to manage machine access, which are often targeted and harvested. 

“Many companies today use API secrets like keys, encryption certificates and tokens in order to broker access between machines. These machines could be pods, containers, cloud workloads, servers, virtual machines or IoT devices,” said cofounder and CTO, Anusha Iyer.

“Unfortunately, these secrets are often shared between machines, so engineering teams are hesitant to revoke them for fear of the workloads that will be impacted across the machines using that secret,” Iyer continued.  

“Furthermore, these secrets are being sprayed across code repositories, CI/CD pipelines, testing systems, logs, API gateways, and more where adversaries are leveraging them to gain access to potentially sensitive data,” Iyer said. 

Corsha aims to mitigate these difficulties by adding an extra layer of security on top of API secret-focused solutions, brokering machine access, and depriving hackers of the opportunity to target APIs through zero-trust authentication. 

The API Security Market 

As the number of organizations relying on APIs to deliver critical services increases, investment in API management solutions is also increasing, with the global API management market size will grow from $3.87 billion in 2020 to $7.54 billion in 2026.

Within the market, many providers have started to focus on addressing the security problems created by APIs. One of these providers is Salt Security, which offers an API protection platform that uses a data engine, AI and ML to scan APIs and exposed data, during development and deployment. 

Salt Security is one of the most significant competitors in the market, having recently raised $140 million as part of a series D funding round and achieving a $1.4 billion valuation

Another competitor is Noname Security, which provides an API Security platform that allows the user to create an inventory of APIs to offer AI-driven API threat detection with automated blocking and threat remediation. 

Noname Security is another substantial player in the market, raising $135 million as part of a series C funding round last December and achieving a $1 billion valuation.

Becoming the identity-first API security solution

While Corsha’s competitors are well-established, the company’s cofounder and CEO Chris Simkins argues that  the organization is taking a unique approach to API security through emphasizing machine identity management capabilities to secure APIs rather than analyzing API traffic or API logs to identify malicious activity like other providers. 

“Corsha limits API access to only trusted machines by requiring affirmative authentication based on the machine’s identity — a very binary decision based on whether the MFA credential is valid or not,” he said. 

Assigning dynamic machine identities to trusted devices ensures that APIs can communicate freely, while preventing API secrets from being exposed and exploited to gain access to sensitive information.