News

4 Ways to Keep Your APIs Safe

September 30, 2021

API Banking isn’t without risk. Check out four ways you can protect your bank’s reputation and integrity without missing out on the joy of APIs…

Critical Software Image

API Banking: the building blocks of a financial future where customers can integrate accounts, take advantage of a range of services from a single portal, and communicate with their bank via a host of different channels. 


But, from security to usability and everything in between, API Banking comes with risk. Learn four ways you can overcome this risk and perfect your adoption of API Banking in our handy checklist below.



1: Check your security… 


Clearly, the first step should be to make sure your API infrastructure is secure and that this security is up-to-date. Incumbent banks often fall for the misapprehension that their existing digital security systems are sufficient in the dynamic world of API Banking. For many, this complacency can be disastrous, with their in-house API development teams struggling to both understand and keep on top of the regulatory requirements of APIs and implementing these in the bank’s infrastructure. 


Here are just some ways in which your APIs could be open to cyber vulnerabilities:

  • Not using APIs over encrypted channels (HTTPS). API calls over plain HTTP are not secure and could easily be impersonated or modified by a third party.
  • Ineffective secrets management - allowing threat actors to discover an API key and perform any action authorised to that key.
  • Weak input validation, allowing the threat actor to insert arbitrary parameters into API methods and queries.
  • Error messages revealing clues to a potential adversary.
  • Not protecting against denial of service (DoS) by neglecting throttling/rate-limiting, making your API vulnerable to DoS bombardment.

Combating these threats is made even more difficult by the fact that most standards in this area are constantly evolving to accommodate the rapid adoption and implementation of APIs between banks and third-party providers. A 2020 F5 Labs report showed that over 50% of unintended, API Banking-related data disclosures were caused by authentication and authorisation issues.  


One way to avoid being left behind the curve is to use open standards religiously. Standards like OAuth and their correct application are key to preventing data breaches, which naturally carry both financial and reputational costs. Additionally, it is vital to continuously assess and test API security based on known application security standards, such as the OWASP API Security Top 10



2: …And your partner’s, too


The lack of resources to deal with API Banking security in-house has meant that incumbent banks are looking further afield for support and guidance. While this has its benefits (for example, by plugging knowledge gaps within incumbents and reducing project costs), working with a partner also comes with its fair share of risks. Is your partner properly certified? Are they able to address the ‘bespoke’ challenges that API Banking often throws up? 


Practise due diligence and ensure your partner has the skills and the certifications for carrying out API work. This could simply mean asking a potential partner about their credentials or performing more regular vulnerability assessments and security audits. It is also good practice to compile a policy on API Banking partnerships, ensuring that security is at the forefront of your work together.  



3: Automate, automate, automate 


By virtue of the fact that APIs are constantly changing, there is little use in using a manual process to assess and manage your API Banking security. Automation is vital – in shedloads. 


Incumbents have started to take advantage of API management tools with built-in, ‘always-on’, and automated security features. The standards making up this process are applied across stakeholders involved in the API, meaning both the bank itself and any third parties it is working with are covered in terms of regulatory compliance. Open-source security platforms like OWASP ZAP provide automated testing for REST APIs (the standard APIs used in financial services), creating real-life scenarios through which the API’s vulnerabilities could be exploited. Integrating these security platforms into your Continuous Delivery processes and tools, allow continuously visibility and remediation of API security issues.



4: Become a pro at proactivity


It’s vital that incumbents be the ‘pro’ in ‘proactivity when dealing with API Banking security. This includes embedding security from day one into API development. As an example, you should not only build authentication and authorisation processes, but also create a single interface through which authentications and authorisations can be logged and referred to if needed. 


This is all essential in adopting a Security by Design approach, where systems are developed with cyber security front-and-centre of one’s mind. This can be done by implementing more centralisation. Using a centralised API gateway, for instance, means more control over potential data breaches and gives banks the opportunity to resolve them in a timely fashion. The gateway in itself possesses benefits too, mitigating the impact of public-facing API endpoint cyber attacks. 


Now you know how to be API Banking-secure, it’s time to fulfil your potential. Check out our free white paper on API Banking here


Got any questions? Get in touch! With our experience in API Banking and security certification, we’d be only too happy to help.