Guard against API vulnerabilities with strong security practices

To start, financial institutions must include risk assessment and threat modeling as part of their software development lifecycle.

With the rise in attacks on Application Programming Interfaces, how can banks, credit unions and fintechs deliver secure APIs?

All APIs consist of the software interface contract, the implementation and the deployment. The implementation and deployment are where most security vulnerabilities arise. For example, one financial institution’s implementation of the Financial Data Exchange API may be secure, whereas another institution’s offering of the same API may have serious security vulnerabilities. By incorporating security in design, teams can contribute significantly to secure delivery.

Financial institutions and fintechs can be proactive about security by adopting several key practices to ensure both secure API designs and secure implementations.

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

As a first critical practice, API development must shift security left by considering security earlier in the software development lifecycle. Software and process security must be a primary non-functional requirement, and the team’s API governance model should include risk assessment and threat modeling of all new features.

Being able to recognize API security vulnerabilities and knowing how to act is another important practice. Teams should be thoroughly familiar with the OWASP API Security Top 10. Awareness of how security vulnerabilities manifest – and how hackers exploit them – allows teams to build security into their API offerings. Below are some examples of these safeguards.

Ensure every API operation uses proper authentication

Broken object level authorization and broken user authorization are the most common errors in API services, and can lead to errors such as letting one user download all customers’ records and personal data. Always ensure the API operations require proper authentication and results only include data the caller is authorized for.

Use strong software to validate all data sent to APIs

Letting invalid data into a system can lead to data exposures or data corruption. A good practice is to enforce such validation automatically, so the engineering team does not have to manually code validation for every API operation’s request body, query parameters and request headers. An automated process helps ensure developers can’t accidentally omit validation. Define the API’s constraints through strict JSON Schema and other declarative methods (available when defining an API with the OpenAPI specification). This enables a more secure development lifecycle, including automatic code generation to validate input data more strictly.

Protect against automated attacks

Consider third-party solutions and infrastructure services that protect against denial-of-service, credit card/credential stuffing and other attacks. This field is still growing, but several mature offerings exist.

Security testing may appear like another obvious step, but shifting testing left will improve the security posture as well. Proactively looking for exploits or gaps early in the software development process is much more effective than reactively addressing a security breach in a production system. By generating contract tests from the API definition, you can detect common issues like missing input validation or injection vulnerabilities.

It is important to adequately fund the API security practice. Ultimately, an executive leadership team has responsibility for establishing security as a priority and “paying” for security up front. They should assign responsibility for API security to, for example, the chief information security officer or an API security architect. Someone at your organization must have the authority and funding to create and execute (train, build, staff, equip, maintain) the API security strategy.

Ongoing education is paramount. Provide routine training on API security and general cybersecurity issues not just to the engineering team, but to the business analysts and product team (remember: “shift left”). Continually monitor industry resources to stay on top.

Engineering teams should employ tools to scan API designs for common vulnerabilities such as weak input validation. Organizations should also join groups and attend conferences where API security is discussed in depth. Learn from your peers, build the community and maybe even contribute back.

David Biesack is chief API officer at Apiture.