Context-based security for all your APIs
Only Salt delivers the context you need to protect your APIs across build, deploy, and runtime phases. We combine complete coverage and an ML/AI-driven big data engine to provide that context to show you all your APIs, stop attackers during the early stages of an attempted attack, and share insights to improve API security posture.
The Salt approach
Salt deploys in minutes and automatically discovers all your APIs and where they expose data, pinpoints and blocks attackers, and provides remediation insights for dev teams.
Our advantages derive from our C-3A Context-based API Analysis Architecture – with coverage across all your app environments and our big data engine powered by our time-tested ML and AI algorithms.
After evaluating multiple API security platforms, we found that only Salt Security had an architecture that could deploy in any of our environments, identify all our APIs, and recognize and block attackers before they could do any damage.
Nir Valtman, head of product and data security
The Salt architectural advantage
We collect all your API traffic – across load balancers, API gateways, WAFs, Kubernetes clusters, cloud VPCs, and app servers - to dynamically provide a full inventory. We deploy with no app or network changes and require no configuration or tuning.
AI-powered big data engine
Every one of your APIs is unique. Salt applies ML and AI in our big data engine to baseline your APIs and isolate anomalous behavior, differentiating between changes to APIs and malicious activity. By applying the context we learn, we can avoid false positives.
Salt combines our complete coverage and big data engine to discover all your APIs, see the sensitive data they expose, find and stop attackers, and capture insights for development teams to improve your API security posture.
Why WAFs and API Gateways can't protect you
WAFs and API Gateways detect attacks that leverage known vulnerabilities (think SQL injection, cross-site scripting). They see traffic one transaction at a time, in isolation. API attacks are different – they target vulnerabilities in your business logic, and hackers must probe your APIs to discover these zero-day vulnerabilities. To find and stop API attacks requires context, over time – WAFs and API gateways simply don’t have this context (think a single frame vs. a movie).
The OWASP API Top 10 catalogs the most common API attacks. Salt knows what every user did an hour ago, a day ago, a week ago – and we have a baseline of what’s normal for your APIs. We use this context to find and stop API attacks. Check out our API attack video to see the difference in action.
API Security Top 10 Threats
A1:2019 - Broken Object Level Authorization
A2:2019 - Broken Authentication
A3:2019 - Excessive Data Exposure
A4:2019 - Lack of Resources & RateLimiting
A5:2019 - Broken Function Level Authorization
A6:2019 - Mass Assignment
A7:2019 - Security Misconfiguration
A8:2019 - Injection
A9:2019 - Improper Assets Management
A10:2019 - Insufficient Logging &Monitoring
Video: API attacks - WAFs vs. Salt
In this demonstration, we use Postman to launch a combination of more traditional (SQLi, XSS) and more sophisticated API attacks. The video demonstrates the difference between what a WAF can identify and block vs. the attacks the Salt platform is able to prevent.
How the Salt Security platform worksLearn More