Helping Developers Secure APIs

Escape Team.

Everyone who uses online applications depends on application programming interfaces (APIs). APIs are the “data pipelines of the world,” says Tristan Kalos and Antoine Carossio, co-founders of the API security startup Escape. However, the vast majority of APIs have security vulnerabilities that hackers can use to steal data or cause other mayhem.

Escape enables developers to secure their APIs by helping to spot security vulnerabilities before they can be exploited. This is Escape’s story.

From Software Developer to Founder

Tristan says the initial idea for Escape came from his experiences as a software developer. At one point, a client came to him with a mysterious problem. 

“When I was like 20 years old, I started working for companies here in the Bay Area,” he says. “I was building applications for them, and one day, one of my customers… told me, ‘Tristan, I don’t get it, the application that you created for me, it’s not working anymore.’”

The problem turned out to be serious. “I found that the database of the application was empty, completely empty, and there was only one single message inside of it:  It was, Do not worry, your data is safe, in order to get it back, pay 10 bitcoins to this address. So it got hacked.”

Tristan realized that he didn’t actually know how secure his applications were. That was a tough wakeup call, but it eventually inspired him to start a company with Antoine to address the problem. 

“So fast forward three years; we were in [the MBA program] at Berkeley… and I met with Antoine, who was an expert in cybersecurity and was working at Apple previously. And I saw that he had the knowledge necessary to help me with securing the applications that I was building. So we decided to solve this problem at scale together. And we both wanted to create a company, and here is Escape.”

API Security

Antoine explains that APIs are a critical, but often overlooked, component of much of what we do online. 

“The API basically is the communication layer between your application and the database,” and everyone who uses an application has to go through one to access the data that the application uses, he says. “So that API is a really sensitive layer in your application stack.”

Unfortunately, as Tristan learned, APIs are often insecure and can be compromised by hackers. And because application security may not be their area of expertise, developers can miss these security holes before a customer has a problem. 

“What usually happens is that every six months or every year, you are audited by professional or ethical hackers, and they try to hack your application,” Antoine says. “They find vulnerabilities in your app, they report them to you, and you have to fix them. The problem is that during six months, during one year, maybe you could leave some vulnerabilities [in] your production. And so all [your] customers are unsafe at that point.”

Escape helps alleviate this problem by enabling developers to secure their own APIs before delivering applications to customers. “We generate realistic requests and continuously fire them at API endpoints in development,” he says. “Companies like Neo4J use us to spot security vulnerabilities before they hit production.”

Technical Blogging

Tristan says that like most startups, Escape tried several different marketing channels like emails and in-person networking. However, what was most effective for them was using their own team to write technical blogs as a form of content marketing. 

“What has worked absolutely very well for us… is creating content, good quality content, and sharing it in the right groups,” he says. “So for developers, it’s Reddit, it’s dev.to, it’s Hacker News, all those platforms where all the developers are spending their days. [We had] a huge content strategy from day one, and [clients] just came by themselves to Escape.”

Tristan agrees that technical blogging has been the company’s most productive form of marketing. “We leveraged the technical team in order to do marketing [and] build the content strategy,” he says. “So every three weeks, we block[off] one day. And we tell the engineers, hey, can you write a blog post about the exciting stuff that you have built in the last three weeks?… And so we get about 10 articles, and then we can publish them over the next [several] weeks. And we have a list of where we need to publish them, the communities that could be interested in each topic.”

Passion and People

Antoine advises early-stage entrepreneurs to develop a passion for their industry, which may be the only thing that sustains them during the difficult times ahead.

“I would say you have to be passionate about what you’re doing because… sometimes it’s gonna be super hard, and you have to know in advance that you are not going to drop your project,” he says. “So in order to not drop your project, you have to believe in it and to be passionate about it…. so you… don’t stop at the first problem you encounter.”

Tristan agrees. “I think being excited about the problem that you’re solving, about how to solve it, about who you’re solving it for, is really important,” he says, adding that it’s equally important to choose your team wisely – particularly your co-founders.

What’s Next for Escape

Tristan says that like many startups, the company’s next goal is faster growth. In particular, it wants to develop the ability to take on larger clients.

“We’re entering the scale phase right now with Escape, so there [is] a lot of stuff ongoing,” he says. “Especially when you are a startup and you start… trying to find out what your product is and what your audience is, then you have to reach larger companies, move towards mid-market and enterprise. That’s a whole different story which we’re going to hear about in the coming months, like Escape Becoming, going from a small startup to a company that has the power to address the need from larger enterprises.”

Tell Us Your Startup Story

Are you a startup founder and want to share your entrepreneurial journey with our readers? Click below to contact us today!

Request an Interview