Security Experts:

API Protection Firm Salt Security Raises $20 Million

API security startup Salt Security has raised $20 million in a Series A funding round led by Tenaya Capital. With the increasing rate of business transformation, cloud adoption, and remote working, APIs are rapidly becoming the heartbeat of online business; but they cannot be adequately protected by traditional proxy-based security controls.

Akamai reported that by the end of 2018, API calls represented 83% of web traffic. "The majority of API traffic is for custom applications, which is the result of digital transformations and cloud-based application deployment. For security teams, growth in API volume is important when considering risk, because some security tools are not equipped to manage API traffic."

Gartner has predicted that "by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than user interfaces, up from 40% in 2019."

To help solve and protect this relatively new but rapidly expanding attack surface, Salt Security has developed an API Protection Platform. It uses big data and artificial intelligence to find and monitor all a customer's APIs. From this it develops a baseline of normal behavior for each API. Deviations from the baseline are concerning, potentially indicating an attack against the API; and can be either automatically corrected by calls to other controls (such as firewalls), or reported to the SOC team with recommendations for remedial action. 

The platform also reports the API vulnerability being exploited to the DevOps team responsible for the API -- again with explanation and recommendations -- in a form of digital biofeedback. This feedback makes vulnerability discovery a learning point that feeds back into the development team to improve future API developments.

The Open Web Application Security Project (OWASP) describes APIs as "a foundational element of innovation in today's app-driven world." It continues, "By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible."

Roey Eliyahu, CEO of Salt Security, gave SecurityWeek an example: the 2018 Facebook breach that allowed hackers to collect 50 million facebook records. "The hackers found an API vulnerability that allowed them direct access to the profiles of named accounts," he said. "In this case, it required 50 million API calls, but in other API vulnerabilities you might be able to bring the service down, or request a data dump -- it all depends on the API in question and the vulnerability discovered.

"Salt Security prevents attacks that are impossible to detect with traditional security point-products," he said. "We are the only vendor in the space that can protect against all threats listed on the Open Web Application Security Project (OWASP) API Security Top 10 in addition to other increasing API-related security risks. Our expanding customer base is firmly focused on driving digital transformation, and our solution enables them to innovate and confidently secure the APIs driving critical technological advancements for their business."

Salt Security was founded in 2016 by Michael Nicosia (COO), and Roey Eliyahu (CEO). The management team have largely come from the intelligence arms of the Israel Defense Force (IDF). Like so many recent Israeli cybersecurity start-ups, the firm has moved its commercial head office to the U.S. (in this case, Palo Alto, California), while maintaining R&D in Israel to take advantage of the continuous emergence of cybersecurity expertise from the Israeli military.

The firm emerged from stealth in January 2019. By that time, it had received a total of $10 million in seed funding. Today's Series A round brings the total investment in Salt Security to date to $30 million. "The new money," Eliyahu explained, "will be used to expand the R&D center in Israel, with new staff, and to invest in the IP of the product. Many of our employees, like myself, have come from the elite cybersecurity units of the IDF, and we will continue to leverage this source of knowledge. The money will also be used to expand the sales and marketing team in the U.S."

*seed funding amount has been updated

Related: The Next Big Cyber-Attack Vector: APIs 

Related: Elastic Beam Emerges From Stealth With API Security Solution 

Related: Compromised AWS API Key Allowed Access to Imperva Customer Data 

Related: U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.