The Salt Security team attends a global sales kickoff event in Chicago in 2021. (Salt Security)

Proving that there’s still a strong interest from the funding community for the right technologies, application programming interface (API) company Salt Security on Thursday announced $140 million in Series D funding that takes its valuation to $1.4 billion.

Salt Security believes that the new funding round solidifies it as one of the leaders in the API security field. The company offers what it calls "full lifecycle API capabilities," including automated API discovery, pre-deployment analysis, attack detection and prevention, and API-focused security posture insights.

“Investment might be cooling, but the threats are not,” said Roey Eliyahu, co-founder and CEO at Salt Security. “Demand for API security has surged with businesses needing to protect the APIs driving their digital transformation, application mobilization, and other IT modernization initiatives. This [latest round] of funding is an amazing validation for our vision, which is to accelerate business innovation by making APIs attack proof.”

The VCs are wise to invest in promising startups solving important problems to help organizations reduce their attack surfaces, said Melida Marks, a senior analyst at the Enterprise Strategy Group. Marks said API security has become one of those growing urgent problems that organizations need to address. She added when considering the top tech adoption trends — including cloud adoption, agile software development, hybrid work, the increase in web applications, online business transactions, usage of IoT devices — they all use an increasing number of APIs.

“This increases the attack surface, making APIs an attractive target for attackers,” Marks said. “Organizations want solutions that can help them identify and map out the APIs, and ensure they aren’t vulnerable to attack. Salt has been addressing this problem for a while, helping companies detect and stop API attacks, and more recently have been adding some shift left features to bring secure processes into development. I think the investments [in security from the VCs] will continue. But the large funding rounds put a lot of pressure on the security companies to perform, and we may see some eventual flops that encourage the VCs to be more careful. VCs realize there’s no sure thing, but are willing to bet on the chance of a huge payout.”

Why there’s so much focus on APIs

The disintegration of the network perimeter has resulted in a plethora of new perimeters for devices, data, and applications, explained Frank Dickson, program vice president for security and trust at IDC. Dickson said for internet-accessed applications, whether the application is SaaS or developed in-house, the API has become the new perimeter.

“Applications must have robust APIs to enable the integrations demanded by digital transformation,” Dickson said. “Such robust APIs can also serve as a golden ticket for cybermiscreants, providing unfettered access to corporate data, applications and systems. Securing robust APIs thus becomes critical to an organization’s survival. Salt Security is one of a host of providers looking to capitalize on the market opportunity.”

Michael Isbitski, technical evangelist at Salt Security, added that attackers target APIs with techniques that practitioners often describe as “low and slow.” The attackers use a combination of passive reconnaissance, stealthy probing, and throttled requests to abuse the business logic of APIs that take days, weeks, or months to unfold to execute data exfiltration, account takeover, and fraud.

“These attack patterns differ drastically from the more well-understood, ‘one-and-done’ style web application attacks like SQLi or XSS,” Isbitski said. “Existing enterprise security tooling such as WAFs and API gateways are insufficient because they can’t provide necessary API context or visibility into data exposures. Those traditional controls also can't stop API threats during runtime. WAFs and API gateways are by design reactive, not proactive, relying on signatures and rules to provide some level of efficacy for well-known, pre-defined exploit patterns.”