Corsha Secures $12M Round to Reduce the API Attack Surface

April 6 2022

Corsha, a DC-based API security company has secured $12 million Series A funding round. Ten Eleven Ventures and Razor’s Edge Ventures co-led the round that included participation from 1843 Capital.

Organizations are increasingly relying on cloud infrastructure to scale their applications and services. The sheer number of APIs per organization is exploding, and with that, so is the number of potential vulnerabilities. A GitGuardian report published last month found that organizations leaked more than 6 million passwords, API keys, and other sensitive data in 2021, doubling the number from the previous year. Gartner predicts that API attacks will soon become the most-frequent attack vector to cause data breaches for enterprise web applications.

Co-Founders Chris Simkins, CEO and Anusha Iyer, CTO

With partners like Dell Technologies, Corsha offers a first-of-its-kind platform to secure communication in both on-prem and cloud environments. “By taking an identity-first approach to API security, Corsha provides a much-needed security layer to the way organizations should manage service-to-service communication. Corsha provides all the goodness of MFA to secure the communication between APIs, as well as the machines that are accessing them,” said Chris “CT” Thomas, a Technical Strategist in the Office of the CTO at Dell.

Corsha’s patented technology allows security teams to cryptographically assign dynamic identities to a set of trusted machines and pin API access only to those machines. Through this innovative approach to machine identity and MFA for APIs, Corsha eliminates security vulnerabilities in machine-to-machine communication – enabling a zero trust API security posture in cloud native environments for north-south or east-west APIs.

Corsha co-founders Chris Simkins and Anusha Iyer have deep experience supporting national security programs and have seen first-hand the security threats insecure APIs pose to organizations.

“API secrets are being used as proxies for machine identities – each machine ideally needs its own secret. But these secrets are routinely being shared between machines, and leaked in code repositories or CI pipelines at an alarming rate. They’re rarely rotated and often set to never expire,” explained Iyer. “The greater we automate our application development and deployment processes, the more the risk shifts from human to machine. It’s more important than ever to have clear visibility into the machines that are accessing APIs and be able to seamlessly control access,” added Simkins.

API-first ecosystems are driven by the machines that power them. Whether those are Kubernetes pods, containers, virtual machines, physical servers, IoT devices, or other form factors, securing API communication between services often becomes an afterthought. According to Gartner, ‘API security challenges have emerged as a top concern for most software engineering leaders, as unmanaged and unsecured APIs create vulnerabilities that could accelerate multimillion dollar security incidents.’ The API Management market is expected to be worth $13.6 billion by 2028, growing at a compound annual growth rate (CAGR) of 29% percent from 2021 to 2028, according to Verified Market Research. Current estimates place the cost of data breaches to reach over $10.5 trillion annually by 2025.

“The Corsha team has a unique perspective and clear vision on how the API Security and machine identity markets are growing and evolving, and their technology is going to revolutionize how enterprises think about API traffic management and machine authentication,” said Mark Hatfield, Founder and General Partner at Ten Eleven Ventures. “We are extremely excited to invest in Corsha to accelerate their growth and continued product development.”

Today if an application or service wants to make an API call, it often leverages a primary authentication factor like a PKI certificate, JSON Web Token, or OAuth token. Corsha strengthens that API request with a one-time-use MFA credential that is built from the machine’s dynamic identity and checked against a cryptographically verifiable distributed ledger network (DLN). The API request is only accepted if there is a match between the MFA credential and that machine’s identity on the DLN. If a log management system were to identify a potential security event, a security operations center (SOC) could easily use Corsha to revoke the API access for a specific machine or group of machines without impacting other workloads.

Corsha recently launched an API Security Scorecard to help organizations measure their API security posture through a series of simple questions. Corsha plans to use the new funding to invest heavily in API discovery and observability, integrations across the API ecosystem, and open-source tools to help application security teams get ahead of the API attack surface.