Richard Meeus is Akamai’s EMEA Director of Security Technology and Strategy.
Application Programming Interfaces (APIs) are an essential component of the modern internet, acting as intermediaries for so many of the activities we conduct on a daily basis through cloud, IoT and many other platforms. For financial services providers, they offer a wealth of possibilities for banks to connect data with third parties and open up their customers to a broad range of services by scaling their B2C or B2B applications.
However, the vulnerabilities of APIs from a cybersecurity perspective are becoming increasingly transparent. With high value financial data being disseminated via APIs, the implications of a breach can be incredibly severe, both financially and reputationally. Our State of the Internet Report found that almost half (48%) of organizations were pushing vulnerable code regularly. There is a genuine risk of APIs being treated as a security afterthought, with lessons from the past simply not being carried forward. Twenty years ago, many websites had obvious, hackable vulnerabilities that were often caused by developer assumptions about how they were interacted with by users. It is important that this type of insouciance is not carried forward.
With the cocktail of a prolific threat landscape and a less unified understanding of APIs as an attack surface, now is the time for financial services providers to place API security at the centre of their overall cybersecurity posture and afford the same level of protection for APIs that they would for other aspects of network security.
Tracking and Testing: It’s not just for pandemics
As is so often the case with forming a defence against cybersecurity vulnerabilities, the logical starting point for API protection is to ensure that you have identified every individual API you utilise within your network and their uses. Due to the prolific use of APIs, it is important to have a holistic view of how both internal and external APIs are used within your company and track each one as you would an inventory item. All too often security teams are undone by issues related to APIs that simply weren’t recorded, even if the vast majority were identified and protected. Although APIs may be tracked as individual entities, when it comes time to develop security policies for them, it is beneficial to leverage methodologies used to protect websites and build comprehensive policies that can be used across multiple endpoints, rather than designing each one from scratch. Plus positive security models can be deployed when the precise method of interaction is known. Doing so can avoid complexity and burden for security personnel.
Once your API portfolio has been catalogued, the second component is to conduct rigorous testing to assess any weaknesses. Key to this process is collaboration with your DevOps teams and existing security groups. Referring back to our finding that almost half of organisations were in fact pushing harmful code with regularity, it becomes even more concerning given 54% of that group cited ‘critical deadlines’ as the main reason for this. Of course, there is often a need to balance security with business priorities when establishing whether code should be patched to cover frailties before or after release. Considering these statistics, there is clearly more scope for CSOs and developers to agree upon risk tolerance for coding output beforehand to avoid unnecessary risks and retroactive breach management.
Stay in the know on security best practices
As dangerous as API vulnerabilities can be, they are still part of the wider world of related attack vectors that teams must consider and guard against. There are many learnings and techniques which can be borrowed from existing Web Application Firewall (WAF) infrastructure. Due to the proliferation of malicious access attempts, you should consider whether you are employing all the necessary risk mitigation tools within your security posture.
With the myriad benefits that APIs can provide for connectivity to vital financial services, performance for customers at the edge and overall exchange of data insight, protecting APIs from vulnerability must now be top of mind for FS providers. By baking API security into your overall strategy, you can continue to leverage these positives, whilst seriously curbing the power of would-be attackers.
