By: Stephanie Best, director of product marketing at Salt Security
In today’s digital economy, application programming interfaces (APIs) have become essential for businesses across various sectors, not just limited to software and high-tech companies. APIs enable seamless and accelerated services, meeting customer expectations and giving financial institutions a competitive edge. However, as API usage has increased, so has the need for API security. According to the latest Salt Security State of API Security report, business leaders now consider API security a crucial business topic, with nearly half of businesses recognising it as a C-level discussion.
Financial organisations are no exception to the growing demand for digital growth. Research suggests that 89% of banks leverage APIs as part of their business strategy already, providing value and convenience to customers. Yet, balance is key: organisations must ensure they can meet customer expectations and adequately protect the APIs that drive their new digital services. But, defending against API attacks can be challenging, especially for security teams that are already overstretched, understaffed, and lack sufficient budgets.
Grasping the API Attack Problem
As the C-suite acknowledges, the importance of API security, especially in highly regulated industries like financial services, cannot be ignored. Worryingly, attackers don’t necessarily require advanced technical skills to exploit APIs because APIs are manipulable. Additionally, they are designed to pass data, including highly sensitive information, making them attractive targets. They also require updating constantly, which can be a problem if teams are already overstretched. The ease of attacking APIs is demonstrated by incidents like the Optus breach, where at least 2.1m of the Australian telco’s account holders had at least one form of ID exposed. It was thought that unauthenticated API endpoints may have been the root cause of the breach.
API usage across the finance industry is complicated. Banks tend to use APIs in three ways: internally, externally, and publicly. Survey data reveals that roughly three-quarters of banking APIs are used for internal purposes (with banks planning to double this number by 2025). Additionally, one in five banking APIs are considered “external” and used to support integration with business partners. It is thought that 5% of APIs are “public” and used by external developers for open banking purposes. As a result, this means that there are a lot of APIs to secure, with different requirements for securing.
The Problem of Traditional Tools
Attackers have become more sophisticated in the ways that they carry out API attacks, and traditional security tools like Web Application Firewalls (WAFs) and API gateways struggle to keep up. These tools are not designed to detect and defend against modern API attacks effectively. WAF alerts are thought to be relatively ineffective for API security as they can only identify well-known attacks like SQL injection (SQLi), cross-site scripting (XSS), and JSON injection through proxy architectures, while API gateways rely on traditional protections such as encryption, authentication, authorisation, and rate-limiting. Analysing log files is time-consuming and depends heavily on overworked cybersecurity teams, giving attackers ample time to exploit vulnerabilities.
Additionally, traditional tools lack the ability to consider context over time, leading to a binary good/bad system that doesn’t adequately address the intricacies inherent with the low and slow nature of API attacks. They are unable to detect unusual patterns of activity or identify potential threats hidden within complex chains of events. Shadow APIs, for instance, often go unnoticed by traditional tools. To overcome these limitations, organisations need to invest in tools that can monitor and analyse large amounts of traffic in both production and runtime environments. Such tools can also identify attacks from seemingly legitimate users who have maliciously obtained proper authentication, accounting for up to 78% of attacks according to Salt Labs.
Taking a Modern Approach to API Security
Implementing a strong API security strategy starts with understanding the APIs within an organisation’s environment. Many companies are unaware of the number of APIs they are using, as documentation becomes challenging to keep up with due to frequent updates and changes. Establishing an accurate inventory of all APIs is crucial. Once the API landscape is clear, security teams can focus on actively attacked APIs and adopt threat prevention measures. Understanding patterns of activity is essential to distinguish between legitimate traffic and potential threats, avoiding unnecessary disruption to the customer experience.
To anticipate future threats, organisations should conduct pre-production security testing alongside drift analysis. By comparing existing documentation with expected results, businesses can proactively protect themselves from emerging threats. Leveraging insights from actual attack activity can also help organisations fortify their APIs, effectively turning attackers into penetration testers.
API Security: An Ongoing Exercise
API security is an ongoing battle and should be treated as a continuous programme rather than a one-time exercise. APIs have lengthy lifecycles, requiring constant monitoring and protection against evolving threats. As businesses and customers in financial services demand more data and digital capabilities, decision-makers must recognise the significance of API security. With proper API visibility and security measures in place, both customers and businesses can remain protected and operational in the face of emerging risks.
 have become essential for businesses across various sectors, not just limited to software and high-tech companies. APIs enable seamless and accelerated services, meeting customer expectations and giving financial institutions a competitive edge.){kind=link}