Your API Gateway

Cameron D’Ambrosi [00:00:04] Welcome everyone to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Roey Eliyahu, co-founder and CEO at SALT Security. Roey, welcome to the podcast.

Roey Eliyahu [00:00:15] Thank you very much. Excited to be here.

Cameron D’Ambrosi [00:00:18] We are excited to have you. I think this is, you know, as we were we were just chatting before we hit record on the trusty tape recorder here. You know, you guys are really focused on an area of digital identity that I think heretofore has maybe been a little bit neglected. And this is an area that I think is is mission mission critical to the continued growth and adoption of use cases kind of across the digital identity lifecycle as we see it. I’m really excited to have you on today and to share what you’re building with our audience. But before we get there, I do always like to let my guest dove a little bit into their background. I think your background quite interesting in terms of, you know, some of the experience you have in the cybersecurity world. So before we dove into salt and what you’re building there, how did the idea come to you to found salt? And would you mind walking us through a little bit of your background in and how you came to gather the skills that made cofounding this company possible?

Roey Eliyahu [00:01:24] Yeah, absolutely. So. So, first of all, with you being born and raised in Israel, if you cannot already tell by my accent before I moved to the States came from very technical, political oriented backgrounds. So I started coding when I was nine and I loved it so much. So I started being a software developer, a freelancer when I was 11. I did throughout all the years in my high school, worked at it, build stuff, monetize them and let you name a few. But when I was 18, I joined the elite security unit of the IDF. The military. The Israeli military. I joined you initially as a developer for building cyber security system at scale. And very quickly, I was promoted to lead big, big projects, being big product development of cyber security, defend the military infrastructure against the various of attack vectors, network attacks, friction, predation attacks all the way to API land attacks and really seen the huge growing threats of APIs. After that, I did a couple of roles in cyber security, specifically nation state level type of cyber security, and I really saw how there is a huge and accelerating emerging attack vector that is just being overlooked. I was just puzzled by how you can have exponential growth of APIs, and when I say APIs, I don’t mean only the APIs we expose and document. I mean any type of communication that have, you know, that they can exchange data, right? Can be web apps, mobile apps, microservices, third party integration all across. Right. I think Akamai and they probably said that 83% of the Internet traffic is API traffic. So essentially the majority of our data that link to our identity is going through APIs every day, all the time. And I looked at that and I said, Wow, all these APIs continue to grow. And, you know, every year it’s easier and easier to create. API is right year seven last year and that is you have all these kind of things that can help companies and developers build API. But on the flip side, they are extremely insecure and and they are so insecure that I thought, wow, anyone can learn how to hack APIs and in three months find a vulnerability in the Fortune 500 companies and exfiltrate my data. And your data in order to secure them requires a completely different approach because the API so they are not APIs that existed five years ago. And with that understanding, I just took a one way ticket to the Silicon Valley, had no investment, nothing, basically just with a few thousands of dollars that I had. And I just took a house and Airbnb that I convinced the host to sleep on the on the floor with an Arab bed and reduced 90% of the cost and start to talk with customers. Investors met my co-founder and from there kind of the journey began.

Cameron D’Ambrosi [00:04:27] That’s amazing in and you know tying this all to digital identity you know that that statistic you you mentioned about the level of traffic that is tied to APIs. I think if you think about digital identity wouldn’t surprise me if even more of a percentage of the digital identity traffic was API driven. You know, we’re seeing as companies continue to build out their identity stacks layering in so many different vendors and building their platform with the help of a bunch of really killer technology in the space. But so much of that is being driven by API traffic. And if you are not securing that API, it kind of doesn’t matter if you have high security in terms of making sure like, okay, does this person’s face match their document and is their document authentic and all that? When someone could sit on the transmission of that data after the fact and tamper with it, intercept it, modify it, whatever the case may be? You know, I think folks are are neglecting a key piece of the puzzle if they’re not paying attention to how their APIs are being secured.

Roey Eliyahu [00:05:41] Yeah, I think that the number one impact for an API breach is their expectation, right? If you look at what happened in Equifax and Peloton and Geico and so on, that it just it’s enough to have one typically an API vulnerability, it’s it’s one, it’s like binary everything or nothing. So the ability of taking all Social Security numbers right on all financial history or all the passwords and leaking information on, you know, anything you upload to a platform and you have it should be only exposed to you. But suddenly an attacker comes in kind of grab everything because of one mistake in the API and how it’s been encoded. Unfortunately, there are so many different possibilities for having these vulnerabilities that it’s very hard to get them all and it’s also continuously changing. So if you did something, you know, tomorrow it can be can have another kind of calling or API again. So definitely when we think about identity in our data, it’s my, you know, and your personal information is going through probably thousands of APIs every day, right? You going into a Zoom meeting or any type of conference meetings, you thinking going through API, your video will send you an email going through in a video you are recording a podcast is. And through the ear and the platform, right? It’s you buying on Amazon or shipping something. You’re like literally everywhere. And every time you log in and put your name or put any details about you, about where you are, you address what to ship to or payments, everything like that. You border, you order book flight, all the intricate information you click going through an API. So it’s definitely becoming kind of a huge area of risk for companies because it’s just a treasure chest for attackers, right? There’s so many and it’s continually growing.

Cameron D’Ambrosi [00:07:37] So, you know, toward that end, I think most people and again, I’m not an engineer and I probably have what I’d consider to be like an advanced layperson’s understanding of these technologies. I think most people think, okay, there is security on these things. Like, I can’t just hit, I don’t know the Equifax API and start pulling down random people, Social Security numbers, for example. But I know one of the things you wanted to really unpack here today is the difference between authentication and authorization and the fact that, you know, 95% of API attacks are authenticated. To unpack that a little bit, I think what you’re driving at there and correct me if I’m wrong is authentication means like I somehow managed to get a valid credential. They hit that API, I got some of these API key, they started in plaintext or I hacked it or something of that nature as opposed to authorization, which means like am the right person who should be accessing this system regardless of if I had the secret code or not. Is that is that fair?

Roey Eliyahu [00:08:40] Yeah. I’ll give you, like, a great analogy for it. Think about a API or a company as hotel authentication will be your ability to get in the main gate or the main door of build tel or going to a seventh floor, for example. That’s like we’ll built indication to go to specific room will be authorization or more specific. So for me that like that’s like a good equivalent to authentication authorization problem starts with someone someone saying they’ll tell in a certain room but can go in to any other guest room in the entire hotel and grab all their stuff because of authorization floor. All right. So that’s why indication can help kind of verify hey there is a person that can use sort a platform like you know, I’m a user of Facebook I can go and Facebook didn’t wanna be the star. So that’s why it’s easy to get yourself authenticated or you can just sign up. I can buy conventions in the dark in the Darkweb for $50 from a lot of platforms to get one. But through this one, you can actually find a vulnerability to get access to all other users information. Right? So that’s that’s how I think about it. And I can dove a little bit deeper how it’s being done and what’s the kind of misconceptions that on this, because there are a lot by the way, I think you touched on the first one, but let me let me pause here, see if it makes sense.

Cameron D’Ambrosi [00:10:07] Yeah. No, I think that that makes sense to to a great degree. And in terms of where you see the the current vulnerabilities and I guess how you’re attempting to help platforms solve these vulnerabilities, is it that traditional API key infrastructure is just not up to the task, whether it’s because they can be cracked or they people are just storing API keys in in willy nilly ways that can be compromised or you know, how are you seeing the current vulnerabilities being exploited by these threat actors? And and how is Salt helping to to solve for those more specifically?

Roey Eliyahu [00:10:47] So so let me explain. So it’s less about although it can happen, but it’s not the common case of stealing or leaking tokens or anything in plaintext. It’s not about, hey, I will steal someone, you know, let’s take the auto analogy. It’s all about stealing someone and getting into the room. It’s more about how I can use myki to get to someone else room. Then you probably ask yourself, how is it possible? So if you think about APIs, APIs as multiple layers, you have different API calls that do different actions, like make a payment above my user profile, right? See the last notifications on Facebook, send the message and you have thousands of those you would not believe how many. For every new action, every piece of information you see on your screen, there is some API call that does that. It’s it’s incredible knowing every one of those. You have a lot of different parameters, right? If I update my my reusable file, I need to give my new name, my first name, last name, email, whatever it will be. And there is hundreds of those. It’s not only your user inputs, a lot of things in the back home. So you have hundreds of thousands of parameters on every API call and you have thousands of API. Cause. Even in smaller companies, not big companies can be much larger, by the way, in a single API. So you have a lot of combinations. And one of the most common vulnerability in APIs, and I’ll explain to you, because it’s very easy to understand and it’s extremely common, it’s applied probably to 40% or so. Is that having the last three years different forms embodies the same concept? And these are that called bola, which is bulk in object level authorization. Number one attack from the API top ten with defined like the top threats for APIs. And it’s basically the ability of using my authentication, my token, my identity essentially to access someone else. And the way it works is really simple. I will authenticate myself and I will go to my, let’s say, you know, like think like a Facebook, an example everybody can relate to. And I’ll get to my profile. Right in my profile, I can see maybe specific things are private to me. Maybe I’ll switch it to a bank account. Easier to understand. Right. So, you know, I think how no one should be able to see my bank information, right? My financial transaction, my, my all my private details, account numbers and so on. And then in the API called, there is this inflammatory that says it’s me like user I.D., five, four, five, it’s ROI. But Q is, for example, user ID ten. So all you need is for an attacker to change this five to a ten and there is a missing check. That ten is not belong to me because ten is not part of the token. So part of the invitation token is just another parameter out of hundreds or thousands and a single API call that you just change. Now you may think, Wow, it’s very simple. You just need to validate it. The problem is that you have thousands of those and they’ll change it even if you got 999. Correct. And you checked it, it’s enough. You have one and you can just change it and just grab someone else. Data And it happened in the biggest companies in the world several times, by the way. So it’s fairly super simple to get access, to try to probe it around and then find one missing check just enumerated and just exfiltrate millions of users of information.

Cameron D’Ambrosi [00:14:19] That’s I mean, maybe terrifying is is the right word for that. But I think I cut you off when you were talking about how, you know, how you guys are working to challenge these these threat vectors.

Roey Eliyahu [00:14:31] Yeah. And I’ll address that. And you it would be unbelievable for you if you see all the examples of vulnerabilities with the exact same vulnerability form. How in Facebook you can get anyone private messages all the way to YouTube, you can delete any video for anyone all the way to actually play data like words and financial companies and so on, so forth. So, so that’s kind of the main thing. So if I could go back to start. So when I started the company with my co-founder Michael, we thought this problem seems to be simple, but it’s actually extremely complex because every API is different. Every company build their own API. So there is no really a standard is architectural guidelines, but everybody by, you know, developing their own because they have different applications sort of the shell product itself like corporation system just use as is you need to build fully own software. We realized that without context of the API and how it’s being built and how it should be accessed and what data should be exposed to who and how much of it should be exposed. It’s impossible to detect all these attacks because maybe in Facebook, like I said, anyone can see your profile, right? And that’s fine. That’s part of the business logic of the API that was developed. But in a bank account, nobody should be able to access your bank account information. It’s not a Facebook page. This context is something you know but. But growing abilities are tools today than existed in the last 20 years. Do not know. They’re looking for known things. They’re looking for known attacks. So the equivalent would be like a metal detector, right? They’re looking for metal. We are saying that the attacks are not made out of or the weapons are not made of metal anymore, but can be in a lot of different shapes and forms because every one of them is unique. So what we built in salt is something using a completely different approach. We we looked at big data is the key components to how we can process massive amount of information as most API to actually acquire this massive amount of information because not just one API call. Now typically days or weeks of API calls, which is essentially a lot of dots you need to connect in order to see the bigger picture. We said to create the salt security platform, which is underlying infrastructures, big data and specifically email in real doing with our three main things. The first one, we help companies to understand what APIs they have because it may seems obvious, but it’s not. When you have thousands of APIs are changing every day we see statistically that 70% of API is actually shadow API. This means organization don’t know they exist. It’s documented anywhere. They had no idea. It’s just been built and exposed. So we help them discover all APIs and all the sensitive data of their users, of the customers, all throughout all their API. So they have complete understanding compared to what they have today. Secondarily, we have them to detect, implement attacks. We suddenly turn it on and we baseline behavior of the users in the API and how data should be accessed by who, how many in what order and so on in a lot of different behavioral features of of the users in the API. So when an attacker start to probe or probe the company API for vulnerabilities and look for these holes and vulnerabilities, we’ll be able to detect this abnormal behavior. Right. Because you as a user in a bank account do not attempt to access someone else’s bank account, or you do not change account IDs and location numbers and try to get access and been denied in 500 places. We actually looking at basically all of those. So if there is any slight manipulation, we’ll track you specifically and we’ll see what any other actions you are doing. We’re connected all together similar to a credit score. Just look at an API activity and you will tell based on your API credit score activity, kind of. We will tell you, okay, this is not abnormal. This is abnormal but malicious. Right. Which is a big difference. We will pinpoint this user and we’ll say, hey, Roy, on this platform or this API can actually attack. Or it’s an actual attacker that’s looking for vulnerabilities. Boom block access and not allowing to interact with API anymore. So that’s kind of the second component on runtime protection and the third component, which is a more long term strategy. We can install it on shift, less security. So it’s essentially helping companies to build more secure APIs in the first place. It’s not apply to all their existing APIs they built, but it’s definitely you want them to start building more secured in the first place. You don’t want just to fix after the fact. So that’s kind of three component discovery API and sensitive data in the tax office. Second, only protection against time attacks. And thirdly, help them build more secure APIs.

Cameron D’Ambrosi [00:19:27] So how has the market response been? I think in some ways. Reactive security postures have been. Sadly, I don’t want to say the norm, but more common than one might hope. And for use cases like this that are maybe not the thing that that makes headline news in the absence of a major data breach. It has been hard to kind of get attention of key stakeholders required to, you know, implement and purchase such a solution. Have you been excited by the response you’ve seen out in market? And and how has growing the business gone in, in terms of attracting the attention of the CISOs and other folks who need to actually, you know, deploy something like salt, you know, do they need to be breached or have a major leak in order to be interested? Or have you been pleased with the response of folks kind of proactively getting out in front of these threats without having already been, you know, nailed to the wall?

Roey Eliyahu [00:20:28] Yeah. In the last two years, very pleased. I think the market in the category emerged and matured in this in the last couple of years, and it’s actually changing every month. So when we started five years ago, everybody were interested, but there was no real project surrounded, tried. This was not concrete. They definitely agreed with, Hey, this is super interesting, like all the things you say are right. But it didn’t translate to actions yet. We hope to facilitate the OCP to obtain. We help to educate Gartner’s and analysts and other industry analysts a lot about the threats. I think the market in the category emerged ominously. So last August, Gartner announced API discovery protection is a new category that needs its own set of tools, which was huge. OWASP, with our help, created the OS we picked up then, and it’s something that enterprises are strictly following about what’s the latest and greatest attack vectors. So in the last two years we experience tremendous growth just in terms of stats. In 2020, we did 3% in revenue. In 2021 we did 500%. Anyway, I’m talking about, you know, serious figures in specific in 900% in the Fortune 500. So I’m not sure which things I can say or not and which are on the website or not. But I can say, you know, from all the way from Fortune 20 type of banks, retail, all the way to Fortune 500 in all the different verticals from healthcare, financials, insurance, tech. You can see a lot of different names of the most sophisticated buyers. And it’s definitely today when we have come in, you can see clearly it’s more and more understand that it’s a problem that needs to address and it’s not something that will be resolved with the API gateway or with the WAAF because it’s completely different feature you need to address differently in strategic for the company. Because companies in COVID accelerated their digital transformation, right? They suddenly became kind of relying on their digital business to generate revenue. And guess what? Digital is equal API. You don’t have other forms of information that are not API driven. So it’s definitely been extremely, extremely pleasing as you kind of mentioned in the last year and is becoming better and better I think every month.

Cameron D’Ambrosi [00:22:57] I love it. And, you know, I really think, you know, the beauty of this platform you built is everybody needs it. You know, to your point, like the Internet is effectively APIs in this day and age. And and there isn’t a company that has an API that should not be thinking about security first and foremost, or at least. Well, I would hope as a consumer with my data whizzing around the broader Internet, that every single CEO and CEO is is thinking about how to secure those APIs. Would you say that COVID and the shift to remote had an impact on that? I think broadly across the digital identity space, we saw COVID and the resulting lockdowns and quarantines as, you know, a kind of a come to Jesus moment in in slang terms around adoption of of mission critical digital identity technologies. You know, did you see an uptick due to that? Or do you think that’s just kind of coincidental in that it was really just about the realization that current API security paradigms were just not up to the task.

Roey Eliyahu [00:24:01] Definitely the former. We saw a huge uptick in the so we are releasing State of API Security Report, which is based on our own data from our customers, statistical data on how API is ongoing and the number of attacks and trends and so on. And also based on the surveys, what people experiences, pains, challenges and so on. And you could see a huge uptick in attacks in going Kobane and a huge uptick in API growth only within our customer base and externally as well. And it makes a lot. Sense because if you think about it, it’s companies shifted and they have no branches anymore. Like in Kobe Bryant or. That door closed. So if you are at McDonald’s, for example, you go to a store and you order or whatever it is and you can go with the cashier and you know, and just or something, anything. We came on line. So the number of people sign up to different services, online services, digital services just went up and they wanted to do more. So priorities on the company level became much more digital first and in line with digital, which translate to a lot of API. So literally the world APIs were surfacing again and again on a broad level because you need to shift priorities urgently into after the pandemic. And then the following question was How do we secure all of these APIs? Will building what’s the security aspect of it? And then the CSO needs to address it, right? So to ask, okay, what do we do about security? What do we do about opening more and more mobile apps that we are launching now to address that and business need? And I think itself is the conversation with a lot of urgency around API security, so it’s definitely linked to it. In addition, by the way, to contributing factor like breaches that happen. Right. And we see on a monthly basis about two incidents, vulnerabilities or a breach that is happening through API. So I think that with the combination of the pandemic and digital transformation and the movement to the cloud and microservices all together can accelerate this the awareness for this problem.

Cameron D’Ambrosi [00:26:11] So I have heard that you have your magic crystal ball with you while you’re on the road traveling in, and would love for you to dust it off and help me make some predictions for the future of what you expect to see in the space. Sky’s the limit in terms of of where you want to take this question. But I would love to hear your perspective on, you know, what we can expect to see in the realm of API security over the next few years.

Roey Eliyahu [00:26:36] So, so so I will go broader, right, for a few years and then I’ll go short and the short term for 2022. So I think today if you look at the space, you see there is a big umbrella of application security, right? You can see different umbrellas in cyber security that each of them kind of contain a few categories. So we have applications. Security is the big umbrella and you have under API security Olympia protection graph your bot mitigation, you know, you have that solution dynamic application security testing for preproduction and a lot of other tools under apps application security. My belief and my strong belief is that API security will be the big umbrella to a lot of different categories under the API security, because if you think about what made application security is the big umbrella that people are spending on application security, broadly speaking, you know, tens of billions of dollars a year, they made it the the umbrella or the bigger theme because all of them have applications. Right. But for application. For application, that’s one application. So on. But now API is actually becoming bigger than applications because applications one use case for an API, but you have APIs through not through applications. You can have different systems like a salesforce and a slack and whatever it is being connected to a gateway. And so I’ve even with application or similar or different type of kind of use cases and all these topics like bots, it’s also for APIs, a graph is for APIs and the onset is very busy and you know, you want to test for analytics for API. So my belief it’s actually will switch in API security from a category that is emerged today will become the common theme for all these categories and it will be all part of any security platform. So that’s my belief in, you know, I cannot put the finger. It will be in two years, layers of four years, but I think it will be faster than what we anticipate because the growth of API is it’s not linear, it’s exponential. So everything we believe is like the release of the first iPhone, right? If you ask someone a year before that, how many you think, how many smartphone or touch screen and so on you will have, you probably will not anticipate the answers that after a couple of years, the majority of the world will hold an iPhone or later on, you know, Android and so on with a smart like a smartphone. Right. I think it’s very similar in that sense. It’s growing very rapidly. So that’s for a little bit longer, you know, 2 to 5 years type of prediction. My sense for 2022, I think it will be a big year for people getting themselves educated about API security. I think there is two groups facing the market, one group, which is probably the 20% that understand it, understand that authentication API gateways where all of those are not API security solution that are not going to help them address API threats. And they know what they’re looking for. They know how to look. Security solution to evaluate. And they know they need to do something about it. I think there are still 80% that thinks, oh, I have an API gateway, I have a Pinterest bug about this. I have last things I did ten years ago and I’ll value today. And I think in 2022, this 2080 or 1090 event will switch to, you know, I don’t know, I hope 5050 or 6040 or even more. But it definitely I think it will be a big leap for API security from an awareness and education perspective. Same as people realize that AV is not enough and you need the need that our solution. Same is people understood that you moved to the cloud. You need cloud security solutions. You move to APIs and API security solution. So I think it will be a big year for people getting the self educated and starting the acceleration of of of the category.

Cameron D’Ambrosi [00:30:33] I love it. Fantastic to chat with you today. Really, really appreciate it. And again, so, so excited about what the future holds and and really grateful that, you know, you’ve been putting putting this product out into the market because I think it’s addressing this critical, critical need. And thank you so much for your time. I really appreciate it. One last opportunity for a shameless plug before we wrap here for folks who are listening who maybe got a bad feeling in the pit of their stomach about the security of their APIs and immediately want to reach out, learn more about salt or get in touch with you about how they can deploy salt in their business. What is the best place for them to go.

Roey Eliyahu [00:31:14] Yeah so go to our like can go to our website at salt that security there is no dot com so you just salt that security like our name and you’ll find their variety of things if you’re interested to learn more about what we do in our solution. Of course you can request the demo of the answer right away, but if you just want to learn about the space the problem, just to get yourself educated. We have a very technical blog you can see about this thing. The top threat API is very practical. No marketing B.S. about like real stuff about global. It is what happened all the way through the technical details and other materials. We have solved labs, at least deep history space. I’m related to salt just to adventure, to to explain and to show lasers of different vulnerabilities and what happened. So we have a lot of great materials there to get started. And of course, we’re always happy to talk to you regardless if you want to buy some cool solution looking for we want to not because we are seeing ourselves as the creator of the category is on a mission to really educate about the space. So regardless we’d love to speak with you and and kind of help you get yourself educated even if it will be three years from now. So that’s that’s kind of our goal.

Cameron D’Ambrosi [00:32:27] Amazing ROI. Thank you again so much. Really, really appreciate your time. I know it’s so valuable. We’ll be sure to include those links in the show notes below and looking forward to catching up with you again.

Roey Eliyahu [00:32:38] So thank you very much for having me. It was a great fun.