APIs make the world go round in tech, but that also makes them a very key target for bad actors: as doorways into huge data troves and services, malicious hackers spent a lot of time looking for ways to pick their locks or just force them open when they’re closed, in order to access that information. And a lot of recent security breaches stemming from API vulnerabilities (see here, here, and here for just a few) show just how real and current the problem is.
Today, a company that’s building a network of services to help those using and producing APIs to identify and eradicate those risks is announcing a round of funding to meet a growing demand for its services. Salt Security, which provides AI-based technology to identify issues and stop attacks across the whole of your API library, has closed $70 million in funding, money that it will be using both to meet current demand but also continue building out its technology for a wider set of services and use cases for API management.
The funding is being led by Advent International, by way of Advent Tech, with Alkeon Capital, DFJ Growth and previous backers Sequoia Capital, Tenaya Capital, S Capital VC, and Y Combinator all also participating.
Salt, founded in Israel and now active globally, is not disclosing valuation but I understand from a reliable source it that it is in the region of $600-700 million.
As with many of the funding rounds that seem to be getting announced these days, this one is coming on the heels of both another recent round, as well as strong growth. Salt has raised $131 million since 2016, but nearly all of that — $120 million, to be exact — has been raised in the last year.
Part of the reason for that is Salt’s performance: in the last 12 months, it’s seen revenue grow 400% — with customers including a range of Fortune 500 and other large businesses in the financial services, retail and SaaS sectors like Equinix, Finastra, TripActions, Armis, and DeinDeal; headcount grow 160%; and, perhaps most importantly, API traffic on its network grow 380%.
That growth in API traffic underscores the issue that Salt is tackling. Companies these days use a variety of APIs — some private, some public — in their tech stack as a way to interface with other businesses and run their services. APIs are a huge part of how the Internet and digital services operate, with Akamai estimating that as much as 83% of all IP traffic is API traffic.
The problem, Roey Eliyahu, CEO and co-founder of Salt Security told me, is that this usage has outpaced how well many manage those APIs.
“How APIs have evolved is very different to how developers used APIs years ago,” he said. “Before, there were very few, and you could say they were more manageable, and they contained less sensitive data, and there were very few changes and updates made to them,” he said. “Today with the pace of development, not only are they always getting updated, but you have thousands of them now touching crown jewels of the company.”
This has made them a prime target for malicious hackers. Eliyahu notes Gartner stats that predict that by 2022, APIs will make up the largest attack vector in cybercrime.
Salt’s approach starts with taking stock of a whole network and doing a kind of spring clean to find all the APIs that might be used or abused.
“Companies don’t know how many APIs they even have,” Eliyahu said, noting that there some 40%-80% of the APIs in existence for a typical company’s data are not even in active operation, lying there as “shadow APIs” for someone to pick up and misuse.
It then looks at what vulnerabilities might inadvertently be contained in this mix and makes suggestions for how to alter them to fix that. After this, it also monitors how they are used in order to stop attacks as they happen. The third of these also involves remediation “insights”, but carrying out the remediation is done by third parties at the moment, Eliyahu said. All of this is done through Salt’s automated, AI-based, flagship Salt Security API Protection Platform.
There are a number of competitors in the same space as Salt, including Ping, and newer players like Imvision and 42Crunch (which raised funding earlier this month), and the list is likely to grow as not just other API management companies get deeper into this huge space, but cyber security companies do, too.
“The rapid proliferation of APIs has dramatically altered the attack surface of applications, creating a major challenge for large enterprises since existing security mechanisms cannot protect against this new threat,” said Bryan Taylor, managing partner and head of Advent’s technology team, in a statement. “We continue to see API security incidents make the news headlines and cause significant reputational risk for companies. As we investigated the API security market, Salt stood out for its multi-year technical lead, significant customer traction and references, and talented team. We look forward to drawing on our deep experience in this sector to partner with Salt in this exciting new chapter.”