Security Experts:

API IAM Security Provider Corsha Raises $12 Million

Washington, DC-based API security firm Corsha has raised $12 million in a Series A funding round led by Ten Eleven Ventures and Razor’s Edge Ventures, with participation from 1843 Capital.

The funding will be used to grow the firm’s team and expand its go-to-market capabilities, increase its partnerships with other companies (such as Venafi), and bring new technologies on board. Global expansion will be based on developing relationships with partner organizations, a process that is already under way in Europe.

“It will also partly be used to develop an API security assessment tool that will be freely available for companies to gain a snapshot view of their current API security posture,” Corsha CTO and cofounder Anusha Iyer told SecurityWeek.

Corsha LogoShe noted that the nature of its product allows the company to gather large volumes of data on day-to-day machine-to-machine communications, and the company intends to analyze this data and make it available to its customers.

The growth in cloud, digital transformation and automation has fueled a dramatic rise in the use of APIs – and with that comes an increase in machine-to-machine communications. This has created a major new security issue in machine-to-machine identification and access management.

The core of the Corsha platform is a distributed ledger system. Corsha uses this as an out-of-band element in the generation and use of machine-to-machine MFA. “The process is analogous to Google Authenticator,” explained Iyer. “In one direction you’re keeping in sync with a seed on Google servers, while in the other direction you’re using that to check MFA credentials.”

Where the customer has a machine that should be marked as trusted, the Corsha authenticator is deployed on that machine. “The authenticator is uniquely seeded at the time of deployment,” explained Iyer. “It comes online and establishes a dynamic identity with the ledger network by sending a cryptographic beat to the ledger. The timing is configurable, but every few hours it will send off a new beat. This is built off the previous one, so over time it forms a chained, dynamic trusted identity for the authenticator. Only the most recent beat is used to create the credentials, but the ledger keeps the full history for audit.”

The company sits at the intersection of API and zero trust, and can provide the MFA and IAM aspect of zero trust in the automation world. While the technology has potentially wider applications, the company is firmly focused on the machine-to-machine IAM problem. Expansion in the IT/OT communications space is possible while remaining within the company’s primary remit.

Since Corsha leverages its distributed ledger system, a new and unique MFA ‘token’ is generated and used for every new machine-to-machine communication. The overhead is minimal, with Iyer claiming it adds no more than a few milliseconds to the access process.

This eliminates one of the major security weaknesses in current API usage – the theft or loss of static secrets. A March 2022 GitGuardian report found that organizations leaked more than 6 million passwords, API keys, and other sensitive data last year, double the number from the previous year. Gartner predicts that API attacks will soon become the most-frequent attack vector causing data breaches for enterprise web applications.

“API secrets are being used as proxies for machine identities – each machine ideally needs its own secret. But these secrets are routinely being shared between machines and leaked in code repositories or CI pipelines at an alarming rate. They’re rarely rotated and often set to never expire,” explained Iyer.

One of the system’s strengths, added CEO and cofounder Chris Simkins, is that it prevents workload spoofing by hackers – the API equivalent of stealing a laptop or phone. “We’ll catch those, and just turn them off even without having to touch the rogue ‘device’. The greater we automate our application development and deployment processes, the more the risk shifts from human to machine. It’s more important than ever to have clear visibility into the machines that are accessing APIs and be able to seamlessly control access,” added Simkins.

If the attempted communication is made without the current unique MFA token, it is simply blocked. “If the MFA fails, the API call fails,” Simkins told SecurityWeek. This Is automatic. The logs provide an alert to the SOC team, and security engineers can investigate the issue with the calling device. However, if the SOC team has other concerns over a device, it can manually notify the Corsha platform, and further API calls from that device are blocked, providing instant mitigation for suspicious behavior.

Related: The Next Big Cyber-Attack Vector: APIs

Related: Salt Security Emerges From Stealth With API Protection Solution

Related: UK-Based API Security Firm 42Crunch Raises $17 Million

Related: Researchers Find Tens of AWS APIs Leaking Sensitive Data

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.