Our perspective

Salt Security: Protecting the Growing API Ecosystem

James Luo
10 Feb 2022
Salt Security

Today we’re excited to announce our investment in Salt Security, the leader in API security. Salt helps its customers protect their APIs, a critical and rapidly expanding part of the technology ecosystem, by providing best-in-class visibility into and protection for customers’ full API landscapes. We’re honored to welcome Salt to the CapitalG family as we lead the company’s Series D round, and we are looking forward to supporting the team as they shape the future of API and application security.

Over the past decade, we’ve seen a remarkable technological shift toward a distributed and modularized IT stack, as best reflected by the rapid growth in cloud infrastructure and SaaS applications. In comparison to the old world of on-premise data centers and monolithic applications, the new world of distributed infrastructure and applications has unlocked innumerable benefits for organizations such as significantly faster development cycles at much lower costs.

As enterprises have shifted to build technology in more modular pieces and to connect services across partner ecosystems, the ways in which those services communicate with each other (i.e. APIs) have become incredibly important to the modern enterprise. Today, APIs power the new digital economy.

APIs have become foundational to the modern tech stack because they enable disparate applications and services to communicate and exchange data with each other. With the rise of SaaS and the broader API economy driven by companies like Stripe and Twilio, virtually every company has critical applications and data exposed externally via APIs.

It’s no surprise that we’ve seen a dramatic expansion in API usage. For example, Postman’s private API collections have grown over 300% each year over the last three years; Apigee has seen API calls on its platform increase 50% annually; and API traffic represents well over 80% of all internet traffic. Looking ahead, the dramatic increase in API traffic will only continue to grow.

API proliferation has heightened data security risks

Even though APIs have unlocked significant business value, they’ve also created a large new attack surface for malicious actors to exploit. As traffic between services (both internal and external) has grown tremendously, so has abusive traffic: Malicious activity grew more than 170% in 2020. Companies have already experienced multiple instances of material harm from API-related breaches.

Just in the last two years, Shopify’s Orders APIs were used maliciously to steal at least 1.3 million customer records from one merchant alone, Experian reported a leaky API that potentially exposed credit information on tens of millions of Americans, and misconfigured Microsoft Power Apps APIs exposed 38 million data records, including COVID-19 vaccination status, Social Security numbers and email addresses. The risks are so severe that Gartner has predicted that this year APIs will become the most frequent application attack vector.

Existing tools do not meet the API security challenge

Enterprises have historically used perimeter-based firewalls and/or API gateways to monitor traffic and secure their applications and data. However, these traditional solutions are inadequate to protect against modern API attacks. Firewalls typically secure only external traffic and have minimal application or service context, and API gateways miss large numbers of APIs that aren’t enrolled directly in the gateway.

These solutions lead to a no-win scenario for organizations, as security teams lack visibility and insight into API inventory and traffic, and development teams are forced to cope with cumbersome processes for detection and remediation. This organizational and technical misalignment has made it difficult to answer even the most basic question for enterprise security teams: How many APIs does our company have? Our research in this space suggests that the vast majority of organizations cannot confidently answer that simple question, much less understand when they may be vulnerable to or experiencing an actual attack.

Salt Security provides organizations with unparalleled visibility and security for their APIs

Thankfully, Salt can help. The Salt API security platform allows customers to inventory their full API landscape, detect and identify potential threats, and act quickly to prevent attacks. Salt deploys with no agents, configuration, or software changes and provides clear observability across all APIs (internal and external).

Its proprietary data engine identifies vulnerable assets before they are breached, detects active known or novel exploits in progress, and provides remediation details that empower developers to harden APIs. For example, Salt detected exploits of the recent Log4j vulnerability in its customers’ systems well before the exploit was broadly publicized and worked with those customers to harden their environment.

The power of the Salt platform has been apparent in the enthusiastic feedback we’ve heard from Salt’s customers: Salt is the pioneer in the API security market and is recognized broadly as the only truly enterprise-caliber solution.

Customers highlight the Salt platform’s ability to quickly and accurately inventory their full API catalog, generate actionable security and development insights, and provide confidence and assurance that they’re protected from bad actors. Salt also improves developer workflows by reducing the time required for manual testing and log review while providing clear, actionable steps to bolster security posture.

In short, the Salt platform allows developers to focus on building and innovating at the speed of DevOps while empowering security teams with the confidence to know they’re secure from bad actors.

CapitalG’s investment in Salt Security

We’re proud to lead the Salt Security Series D round and to support Roey, Michael, and the rest of the Salt team on their mission to secure APIs and the future of application and service communications. We’re huge believers in the Salt vision and the team’s ability to transform that vision into a reality. It’s our great pleasure to partner with them on their journey.

Special thanks to Jamie Shen for her work on this investment.

Read more about Salt Security and their quest to secure APIs across the modern enterprise here.

More Our perspective