API security firm 42Crunch has raised $17 million in a Series A funding round led by Energy Impact Partners and joined by Adara Ventures. $17 million in a Series A round, especially outside of the U.S., is a strong indication of confidence in the technology from the investors.
42Crunch provides an application programming interface (API) ‘micro firewall’. APIs are a serious and growing threat vector. In 2019, Gartner stated, “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” Its proposed solution was, “Use a Combination of API Management and Web Application Firewalls to Protect APIs, in Conjunction with Identity Infrastructure.”
This advice is clearly not getting through. On April 28, 2021, Brian Krebs explained an API weakness with an Experian partner website. The flaw had been discovered by researcher Bill Demirkapi while looking for student loan vendors online. The website offered to check his loan eligibility by checking his Experian score. It did this by combining his name, address and date of birth, and an Experian API. But the API was flawed.
“Demirkapi found the Experian API could be accessed directly without any sort of authentication,” wrote Krebs, “and that entering all zeros in the ‘date of birth’ field let him then pull a person’s credit score.”
[ On Demand Webinar: API MythBusters: The Five Myths Putting you at Risk ]
Earlier in April, Ahmad Talahmeh discovered that he could effectively remove a Facebook video belonging to someone else. “Anyone can trim any live video on Facebook,” he wrote. “Trimming video to 5 milliseconds will cause the video to be 0 seconds long and the owner won’t be able to untrim it.” It was a Broken Object-Level Authorization (BOLA) vulnerability in Facebook’s video editing API (now fixed by Facebook)
These are just two recent examples of a growing number of discovered API flaws. Other flaws can lead to breaches, although it is almost impossible to tell how many compromises have been conducted via APIs, since company breach disclosures rarely go into so much detail.
42Crunch offers a new approach to securing APIs: an individually tailored micro-firewall that is embedded within the API it is designed to protect. “Eighty-three percent of internet traffic now comes from APIs,” comments Jacques Declas, CEO and co-founder of 42Crunch, “but traditional firewall approaches are not adapted to cope with the specific threats that APIs create.”
Declas’ solution is to provide developers with the automated tools to build the micro firewall into the API at development. “Development has changed in the past decade, becoming extremely agile, with the adoption of loose coupling architectures and Kubernetes,” said Isabelle Mauny, co-founder and CTO. “The cost of fixing security flaws at production time is a major issue for enterprises. Our mission is to make API threat protection as agile and automated as development.”
Nazo Moosa, co-managing partner at Energy Impact Partners, added, “42Crunch’s ‘shift-left approach’ to the creation of secure-by-design APIs fits strongly with EIP’s vision of protecting global critical infrastructure. The company’s six-digit customer wins last year were catalytic to our decision to lead the round… our goal is to help 42Crunch build on this commercial traction and expand in the US, APAC and Europe.”
42Crunch, based in London, UK, was founded in 2016 by Isabelle Mauny (CTO), Jacques Declas (CEO), and Philippe Leothaud (CSO). It has now raised a total of $20.6 million.