API Security is a hot topic today and for good reason. If we think about it, most financial services organizations have become more like technology companies. They are constantly pressured to innovate, to keep pace with FinTechs who are pushing the bar at addressing digital customer demands—or even partnering with them. The resulting evolved financial services ecosystem, which incorporates FinTechs via APIs, has led to significant growth in the open finance movement. This makes financial services institutions more dependent on APIs than ever to make their business run.
Not surprisingly, as banks have realized the importance of APIs, so have attackers. Business-critical APIs are targeted constantly by attackers, who realize that they stand to profit or otherwise benefit from exploiting, abusing, and/or compromising APIs. At the same time, the attack surface has broadened significantly in recent years. This is largely due to the increased complexity and increased difficulty in managing hybrid and multi-cloud environments that has overtaken the industry. All of this creates significant business impacts in the form of large-scale data breaches, compliance issues, and regulatory fines.
The news is not all bad, of course. When financial services organizations work with a trusted partner, they can better protect themselves against threats to their APIs. Let’s have a look at five areas in which the right trusted partner can help improve API security.
- Development: Development teams face a tough challenge. On the one hand, they face strict deadlines to develop the required functionality and make it work. On the other hand, they develop APIs against requirements defined by the security team. Yet, there is no real way to enforce those requirements or check them in any way. Sure, code can be audited and reviewed, but this is a tedious and time-consuming process that is prone to human error and oversights. It is also a process that most often takes a backseat to other red-hot priorities. Developers usually significantly outnumber security professionals in most businesses, which creates a scale problem. As a result, bugs, oversights, and vulnerabilities get through the development process and find their way into production APIs. Only automation can help scale security controls, keeping the security team from standing in the way and slowing down the business-required pace. Working with a trusted partner to automatically enforce schemas, standards, and policies is a better way.
- Access Control: Believe it or not, controlling who has what access to APIs is still a challenge. If you consider the complexity of modern businesses, this may not be so hard to believe. Most businesses have two or more cloud providers, plus on-premises and/or data center environments. Generally, multiple teams are required to manage the networking, technology, development, and security stacks at each of these disparate locations. Thus, it is not surprising that controlling (and monitoring) access to APIs has become a serious challenge. In fact, four of the 2023 OWASP API Security Top 10 are authentication/authorization related. The right trusted provider can help bring simplicity to the complexity and calm to the overwhelmed. This allows the business to fully focus on operating, maintaining, and securing those environments, including proper access control.
- Rogue APIs: Sometimes, formal processes take their due time and developers stand up new infrastructure and endpoints to meet a development deadline. Or, perhaps infrastructure and endpoints slipped through the cracks and were never properly inventoried, managed, monitored, and secured. Regardless of why, rogue APIs are out there. When an API is not known, it cannot be inventoried, managed, monitored, and secured. A good, trusted partner will help the business not only detect unknown APIs but also secure them.
- WAF Not Enough: There is no doubt that web application firewalls (WAFs) are an essential element in a security stack. WAFs provide important protection against a wide variety of threats. But they were never intended to be a stop-all for every variety of attack thrown at APIs daily. Further, APIs are evolving rapidly, which means that they take on entirely new classes of vulnerabilities that security controls may be blind to. No trusted partner’s offering is complete unless they deliver, on top of and integrated with WAF, sophisticated capabilities to identify and mitigate API vulnerabilities.
- Sophisticated Attacks: Gone are the days where applications were targeted by known, common attacks. Sophisticated attackers launch sophisticated attacks—namely those that fly under the radar to expose sensitive business flows, extract data, cause fraud, take applications down, and ruin reputations. This includes both manual attacks and automated (bot) attacks. Identifying, detecting, and mitigating these sophisticated types of attacks require specialized know-how. Defense against the most sophisticated attacks should be part of the API security offering of any trusted partner.
This is not an exhaustive list, of course. Each financial services organization should review its risk register to understand which risks and threats are likely to have the greatest impact on the business. Those that are likely to have a more severe impact can be given a higher priority. It is important to note, however, that many leaders may not know how to most effectively assess the true extent of API security risk. This makes working with the right partner all the more important. Risks related to API security should, ideally, be fairly high on the list, which makes them a priority topic that merits investment. This includes working with the right partner that understands the importance of API security and brings with them the right solutions.
For more, please visit Cybersecurity for Banking and Financial Services.