there so essentially what we do is we push an authenticator to an API client and then that starts to establish a dynamic identity against our platform what that means is that on a configurable interval it sends off a cryptographic heartbeat to our Ledger each one builds off of the previous and forms a chained identity on our platform that was part of a conversation that we had with Anusha Aya Anusha is the CEO and founder of Corsa a security organization and vendor that is changing the way we think about API security by implementing multi-factor authentication for apis now if you're wondering what is multi-factor authentication for apis don't worry you're not alone I was in that boat as well and we're going to find out exactly what that is in the podcast coming up with Anusha but right now it's time to take a look at our breach of the week [Music] looking at some security research that's just come out from get Guardian now git Guardian is a company that scans all kinds of assets for Secrets these are API Keys security certificates credential peers anything that you don't want an attacker to get their hands on and the report focuses on how many of these secrets were discovered publicly throughout the year of 2022 and the results are a doozy in this year's report 10 million secrets were discovered in public repositories just on github.com the results were really quite shocking over 20 percent were for data storage things like databases Amazon S3 buckets and another 20 was actually for cloud provider Keys giving an attacker or a potential attacker access to someone's Cloud infrastructure one of the standout figures from me was that one in ten developers throughout the year actually leaked a secret so this throws cold water on the idea that it's just as few Junior developers that are making these mistakes and we also saw large prominent use cases where credentials were actually leaked for organizations on GitHub what comes to mind is the Toyota t connect bridge where public GitHub repositories were hosting credentials that gave access to customer databases of Toyota the report also looks at how many secrets are actually leaked in internal and private repositories and also on companies infrastructure and it's quite alarming what we know is that API keys are leaking through source code and these are being used by attackers as a way to enter your infrastructure so what can we do about it well there's a few things that we can do we can prevent keys from going into our source code using git hooks we can scan for them we can use secret managers but what we can also do is introduce multi-factor authentication on these keys and this is something that kosher and Anusha are working on directly so without further Ado I'd like to introduce Anusha who's going to lead us in our conversation on exactly what is API and machine to machine multi-factor authentication and how it might change the way we think about security absolutely nice to be with you both here today um some new Shire I am the CEO and founder of Corsa and we're an API security company based in the DC area um in you know just outside of DC and in Tyson's Corner Northern Virginia and a little bit about my background so pretty much just an engineer by training actually I've been in the cyber security space for about a little over 20 years started off in the DC area at the naval research lab spent some time there uh moved around in this area and then prior to starting course I was with a firm called galwa and they specialize in formal methods cryptography High Assurance systems ended up managing some DARPA programs for them in that realm and a lot of that you know helped us kind of Define corsia and the the problem space we're trying to tackle you guys are helping with API security so what exactly you know are API keys for anyone that needs a refresher and how they're used and why do we need to secure this yeah great question so you know it's um when you think about API identity authentication keys when you have one service talking to another service or one machine talking to another machine right and we like to think of machine as anything that doesn't necessarily have a human identity backing it it's likely communicating over apis and that authentication ends up happening basically in one of three ways today right it's either Keys tokens certificates and uh the challenge with this is that those methods end up basically being system passwords right they're they're oftentimes static they're long-lived and you know what's really scary about them is that they're shared especially when we're talking about automated pipelines any sort of automated workflows you're going to have you know maybe workloads coming up and down and you're not going to have a way to provision a unique independent key or token per workload that easily right and so what ends up happening is these Keys become effectively the identity for those API clients that's what you're using to authenticate them and increasingly adversaries are capitalizing on this weaker aspect of identity and access management and stealing these API secrets and can you really tell in this Bearer model of authentication whether it is a legitimate API client or if it's a nefarious one yeah and it's like right if you have the API Keys you have the keys to the kingdom and uh you know and if you find one API key it may give you access to a system where you can find more move laterally so it's a it's a it's a big issue how did we end up so reliant on API Keys what kind of caused us to all pin everything on this one this one token and not add other layers yeah it's a it's a tough problem right when you talk about machine identity and these machines now are you know they're oftentimes these very Atomic things especially in application ecosystems that are constructed of tens hundreds of microservices and they're ephemeral and coming up and down how do you provision identity for these things well you know I think the that devsecops folks will will tell you that Keys ended up being kind of a natural way to do it and you can do things so you know for example take like oauth 2.0 right and you look at um flows within oauth there are a lot of good answers for using that to help humans Connect into systems right and that's oftentimes backed by proving your identity in multiple ways but when you talk about API to API or service to service communication that defaults back to something called client credential grants now the issue with client credential grants is these are specif this flow this part of the spec was specifically designed for passing authorization not meant to be used as authentication but to date we haven't there doesn't seem to be a better solution and so that's why we're still using certs Keys tokens and hopefully that's kind of our uh you know Mission at Corsa is to kind of elevate machine identity to the same level of sophistication and and control and security is human identity and access management that's interesting you would uh make a distinction there because I've never really thought about that distinction between authorization and um access um like how would you define that that fine line what is what is the difference there when I think authentication I think proving identity I have to prove to you I am who I say I am using whatever means authorization is okay once I have proven to you who I am then you have via policies via you know entitlements whatever it may be a way to say okay Anusha can't access all of these resources definitely part of the whole IAM thing but yeah the first part is like who are you it's like what can you do that that makes perfect sense right which is why you know these Keys end up being proxies for identity but if you share them then you don't have strong identity so you talked about uh you know MFA for for machine to machine identity now when I think of MFA I think I'm getting a text message or using my Google auth app getting an email right it all feels very manual when we're talking about apis and machine to machine communication typically we're talking about thousands of requests data going back and forth into you know so how how do we add MFA into this process yeah I mean you're spot on it's so automated right it's got to be self-servicing obviously you know no no uh no little robot in the mix pressing the notification button on your Google Authenticator whatever um so we've tried to use a lot of the same premises security guarantees that we get out of human MFA but bring it into the world of apis into the worlds of machines and uh have a lot of parallels there so essentially what we do is we push an authenticator to an API client and then that starts to establish a dynamic identity against our platform what that means is that on a configurable interval so you know think on the order of minutes hours whatever your your risk profile is it sends off a cryptographic heartbeat to our Ledger right each one builds off of the previous and forms a chained identity on our platform now when it's time for that machine to actually make the API call in addition to whatever its primary factor is maybe the API key for example right it now can also produce a one-time use credential off of this moving identity just a composition of what is sending off to the platform right and that one-time use cred gets kind of seamlessly added in as an extra header to the API request just like human MFA in front of the API service where we want to enforce MFA we drop our proxy that's now going to be looking for those extra headers pull them off and then check it against the out of band element of Porsche's platform right that's holding these machine identities if there's a match with the identity right this moving identity you let the call through otherwise you block it so really analogous to a totp but just kind of a stronger story actually right because it's not time based it's really one-time use and you um can operate without any kind of human involvement you mentioned there just at the end uh totp what what is it what is exactly is it is a trtp and how and how the two kind of different yeah so with a totp like say Google Authenticator right um it's generally what ends up happening is you have your authenticator app and you put in uh the code that you have in the Google Authenticator app and it's going to match it's like time synchronized with what the uh you know the the time the server has right your authentication server now what that means is it rotates generally on like a 30 second limit if someone were to get a hand on that totp code within that 30 seconds they can use it as many times as they want right versus if you have a truly one-time use MFA credential the minute that credential gets used it's worthless so I'm curious just on the pure technical implementation side of this like how how onerous is this um so I think the great worry of all developers is like oh it's one more one more thing to implement one more agent to set up one more so what is it what does this look like from practical from on the ground yeah it's a great question yeah you know the the goal here really is to take the burden off of already the oh these already overburdened personas within our our software organizations right and so a couple of the angles that we took as we were developing this and trying to really be empathetic to that to that issue particularly is make sure that this could be a no code change required solution where it really is drop in kind of a deployment or infrastructure level where it's postcode both on the proxy and the API client side and because of that we have just a bunch of different form factors to kind of fit easily into an environment so you know we tend to be a very Cloud native almost kubernetes native solution and so really easy to hook into like a kubernetes based ecosystem via Helm and drop us in as an extra Library chart and then that way it just becomes part of like natural deployments and you're not having to build it into like road maps of development cycles and things like that so if I understand correctly Corsa can kind of sit almost as a Gateway you know like uh in front of you or between let's say between your machines where they're communicating with each other and the machines also looking for certain kinds of authentication and you're basically adding another set in that that's based off what you're calling like this chain of authentication it's a rolling continuously rolling is that is that right have I got it yeah that's spot on I feel like we need to take you on the road with us now no wow look I I I I have some advantages because I know I've my whole life at the moment is all about uh discovering secrets you know and Dwayne and I both work for for forget Guardian as advocates and it's it's what I find fascinating about this conversation is that what we do is we find these secrets code we find these secrets when they've sprawled into places where they're not not we're not meant to right and try and make sure that they're confined what you're doing is a different approach and you're saying hey this is a fundamentally flawed system we need to add in another person into this this stop which you know uh will put us out of business but that's okay because it's going to make the world secure I think I think it's actually a lot of Harmony there right because and you know we recently sort of put out the survey report that I think you all probably know even far more intimately than we do kind of the extent of the problem um but what we're finding is there's still a lot of you know these primary credentials there's value in them in terms of being primary identity holding still authorization and so forth and that hygiene of like the sprawl I'm I'm fascinated by in terms of what you're actually seeing happening yeah what it definitely is uh it definitely has some Synergy and I was joking a little bit there but you know but but do you see this as something that we we could ultimately solve so I said here I said at the very start like I think of course you're like solving the bottom turtle and what I mean by that if you're not familiar with their with their the saying Turtles all the way down the world is hand up held up by turtles standing on top of each other right but there's always a turtle underneath and that's kind of what it feels like with Secrets it's always something uh underneath with this using kosher and looking into the future and adding these other elements do you think we're going to be able to move past security that relies just on apis or do you think that we're always going to have some issues with this and that we can solve portions of it or perhaps certain companies can strengthen certain elements or can we actually solve this security issue uh actually a little biased but I will say yes we I think we absolutely can solve this security issue with this type of approach and you know we have patterns of History to corroborate that right so when I go when I think back to sort of how we've seen human MFA in evolve right when we first started uh deploying human MFA it was largely um in within Enterprises right employees would come in and then they have this burdensome I've got to do this extra thing Beyond putting my password in and it became uh almost uh just natural employee enforced or Enterprise enforced mandate and then we expanded to cost of doing business increased it to Partners vendors and now you know quite frankly my mother can download Google Authenticator from an app store and knows that's best practice so we've seen this evolution of moving past just username password and that's you know everyone knows that that's not good enough and um I think the same thing that same parallel evolution is possible and will happen on the the API side where we start you know I think the analogy is we start perhaps with like internal apis within an ecosystem where you know you need the enhanced protection then extend it to third-party connections and then eventually you know the analogy is you pull down one of our authenticators from Docker Hub and you're off with it and you seated and you now have the ability to have MFA against you know a a large public API rereading your report and the that you put out recently one of the most shocking numbers that pop out of that and it makes sense but it's something I guess I just haven't ever read before um was like over 40 percent of people are managing 250 plus apis that's a lot of services tied together like that's a lot of security overhead and there's a lot of these numbers are popping out of me but maybe you could talk a little bit about like what you're finding is anything that shocked you out of that report I mean I would say that was one of the ones that was most shocking is like over 250 service accounts Keys certificates I was you know we actually do a lot of work on the federal side and I'd say that number is even higher in some of those circles especially when you're talking about like pki right because the the US government invests heavily in kind of going the pki route now I I think you're absolutely right the other thing that really stood out to me was how much time that secure security conscious organizations are spending on things like key rotation right like if you want to maintain any sort of hygiene then it's got to be a regular part of your process and it's so onerous and I'm sure you all are seeing you know the vast majority of organizations aren't even doing that no yeah that's I mean that's exactly right they're the ones that are investing the time in key rotation other areas you know we release our a report as well and and that's that's very different uh very different uh ways of looking at it so they're very complementary but one of the numbers from that is that in an average size company that has 400 developers they'll have over a thousand unique credentials that will be sprawled in 13 different places that are just in their source code like that these are like in where they shouldn't be these aren't total so it would take just to investigate all these incidents it will take a team of four appsec Engineers the entire year doing nothing else this is the problem that we're at you know and so these numbers while shocking in your report yeah I I get it it's such a big big problem what what led to this to this report here and and maybe we can explain uh to to to the listeners exactly the report that we're that we're talking about yeah absolutely so um this past month and we've been working on this obviously for a few months prior but we released a survey report um around kind of API credential usage Secrets management within organizations and we ended up uh I think you know having over 400 or so respondents within kind of devsecops software engineering infrastructure level positions uh walk through the service this you know the survey for us and quite surprising even alarming some of the results that we found and so we wanted to share it with the community um you know one of the reasons that really motivated us to do the report is is it's sort of an invisible problem because it happens behind the scenes and these vast application ecosystems are run by a few oftentimes right and uh it is you know there's so much opportunity these days to quickly spin up environments with you know the the beauty of orchestration with moving to Cloud digital transformation all of that stuff but what oftentimes is invisible is the burden of getting that Secrets management problem right and you see these alarming numbers and we know when we read them they're all accurate but unless you see them it you don't really feel it number in here that I really freak out about is that 72 percent of respondents use a secret manager yet 54 are still concerned about a potential data breach so I'm gonna there's a couple of things in there firstly 28 aren't using secret managers what are they doing so that's the first thing that I'm worried about yeah you know but of course and then the other one is that 56 are still concerned about a potential data breach well you know that's a concerning number for me because I think more should be because I don't think a secret manager is is enough a secret manager can store your secrets but it's not going to stop them from from from getting out there so it's important but that is a a great report that uh we will share the link of in the description that everyone should check out that uh course you're having to to stay in tune yeah I did one other question for you um um always curious about the names of companies like where did corsia come from like when I first heard it was like oh it's a online training company that was literally my first gut thought was like oh it's a course like Coursera and then so I'm always curious like where did this actually originate that is a great question um I'll give do you want the long version or the short version I always like long versions go for it okay so I will start with course is not our first name um our first name was actually uh was actually hashlit right and the idea was that we were lighting up logins with hash codes now um you know came the the uh interesting piece there was we did not really recognize the drug reference there and I remember going actually into a podcast reviews of webinar something like there's a panel webinar I think and the other folks on the webinar prior when we were introducing ourselves like oh where did that name come from and we're like okay this is not gonna work so then we went back in huddled and had to do a whole DBA like change the name it was like this big thing and corsha stands for at the core of what we do is secure hashing algorithms I am so glad I went with the log version yeah and I would say yeah we had like teenage kids like grown up we shouldn't run the idea by so naming is hard they had some funny stories about naming it I had her as a co-founder of a startup called compago still exists but compago we couldn't come up with a name forever so we were we typed in some words into the Latin uh kind of dictionaries and uh we were all about you know bringing connection between carers and clients and compager was connection and then it was just four years of compatio no one could pronounce it right so I wouldn't advise the Latin word and I was working for a company called sun care spelled c-u-n-c-y-r-e and it was just a years of spellings sun c-y-r-e or whatever I can't even remember now but you know startups always spell things I think kosher is a great name it was a great uh a great story behind it well thank you so as we come to the end of the podcast here just uh for other people listening obviously we're going to link uh to kosher and to the the report that we talked about here but if people want to find out more about this topic in general do you have resources places where people that they should follow to to kind of keep in touch with what's happening yeah absolutely I mean I would certainly say uh get Guardians blogs right is one that I would definitely highlight um and there are you know some great players in the API security space that are putting great content out there um it's a very emerging like fast-moving space so certainly on the likes of you know some of our friends at Salt for example right they've also put out some interesting survey reports and things like that um and just watch the news right there's so many API related incidents that we are hearing every day now um that it really helps to keep a pulse on where adversaries are moving and where they're targeting to and I'll also draw out another one of our partners um dark owl puts out some really nice content in terms of what they're seeing out there actually being manipulated and on the dark web and so forth so I think understanding the problem space and sort of the extent of where adversaries are going is huge that's fantastic well thank you so much for for being with us today um and sharing sharing not only about Corsair but also their the journeys that you've had there and what we can do with security into the future so I do hope that we'll be able to do uh more things together and again thank you so much for being on the security repo likewise thank you both for having me on yeah thanks for being here