By: Michael Callahan, API security specialist at Salt Security
In 2025, application programming interfaces (APIs) remain the backbone of digital transformation in financial services, enabling development efficiencies, system integrations, and standardisation across platforms. The latest edition of the State of API Security looked at a snapshot of financial services organisations and how they use and manage APIs. With 69% of financial services organisations managing over 100 APIs, it is evident that APIs are essential for maintaining a competitive edge. However, API security remains a persistent challenge, with only 10% of financial services organisations reporting that they have an API posture governance strategy in place, a concerning statistic given the critical role of API security in protecting sensitive financial data and maintaining trust.
The Rapid Expansion of APIs and Security Implications
The financial sector has seen a dramatic rise in API adoption. Over half (52%) of organisations report a 50% or more increase in their APIs over the past year. This rapid expansion is driven by a need for improved development efficiencies, digital transformation, and to create seamless system integrations. However, this growth has come with significant security concerns for the sector:
- One-fifth of financial services organizations have experienced an API security incident in the past year.
- The majority (69%) have delayed the rollout of new applications due to API security concerns.
- 31% have no process in place to discover APIs, leaving them vulnerable to shadow APIs and unknown attack surfaces.
- Only 35% continuously monitor their APIs, while almost half (49%) monitor on a weekly or less frequent basis.
The Urgent Need for API Posture Governance
Despite financial services organizations claiming to have the most advanced API security strategies, with 55% saying they are at intermediate or advanced stages, only 10% say they have an API posture governance strategy. This gap indicates that while many organizations recognize the importance of API security, they lack a structured approach to consistently assess and enforce security policies and therefore the ability to continuously mature their API security strategies..
API posture governance is crucial because it provides a framework to continuously discover and assess API risks, ensure compliance with security standards and enforce security policies and remediation in both development and production environments.
Without posture governance, financial services organizations are at risk of vulnerabilities, sensitive data exposure, and brute-force or credential-stuffing attacks, which happen to be the top three security problems found in production APIs according to the report.
API Security Challenges and the OWASP Top 10
The financial sector is acutely aware of API security risks, with 70% of organizations highlighting the OWASP Top 10 API security threats to their security teams—the highest of all industries. The OWASP Top 10 for API Security is a set of guidelines outlining the most critical security risks facing APIs, including broken authentication, excessive data exposure, and insufficient logging and monitoring.
While 55% of financial services organisations adhere to the OWASP Top 10 for API development and deployment, implementation gaps remain. The top concerns among financial services organisations regarding their API security programs include:
- Inadequate protection for runtime and production environments.
- Lack of sufficient observability and control.
- Insufficient investment in pre-production security.
Budget Constraints and Security Tool Limitations
A key obstacle to implementing robust API security is budget limitations. While APIs continue to grow in number and complexity, over one-fifth (21%) of financial services organisations have not increased their API security budgets in the past year, even though budget constraints are cited as the number one barrier to optimal API security strategies.
Additionally, existing API security tools are falling short, with 69% of organisations stating that their current tools are only somewhat effective in preventing API attacks. Alarmingly, 62% still rely on developer documentation to determine which APIs expose sensitive data, underscoring the need for automated discovery and classification solutions.
The Call for Comprehensive API Posture Governance
Financial services organizations must bridge the gap between recognizing API security risks and implementing effective security measures. Despite claiming advanced API security strategies, the lack of API posture governance remains a significant issue. Establishing a governance strategy is essential to addressing security threats, enforcing security policies, and ensuring API security across the entire lifecycle.
With API adoption continuing to accelerate, financial services organizations must prioritise investment in comprehensive API security programs, improve observability and control, and enforce continuous monitoring and governance. Failure to do so risks financial and reputational damage, as well as compliance violations in an increasingly regulated landscape.
