As enterprises are more dependent on APIs than ever before, hackers are capitalising on them as their latest attack vector. In fact, Gartner predicted that this year API attacks would become the most-frequent attack vector, causing data breaches for enterprise business applications. This is particularly an issue in the financial and fintech space, where sensitive data is at risk.
Cameron Galbraith is a Director of Product Marketing at Noname Security, an API security software company. Prior to Noname Security, Galbraith established and built high-performing teams at innovative, mission-critical software providers serving customers in critical infrastructure sectors, including state and local government, telecommunications, utilities, supply chain and logistics, and financial services. He is a graduate with honours from the University of California, Irvine.
Speaking to The Fintech Times, Galbraith explains how fintechs have become increasingly more reliant on APIs and how they can best manage the risks associated with the new technology:
Software Supply Chains: Convergence Unlocks Opportunities
The software supply chain is a fundamental part of the modern application development lifecycle, which has enabled the digital transformation of entire industries. Over the years, developers have increasingly connected and integrated their key applications and services within the software supply chain to automate routine processes, innovate faster, and improve the end-user experience. This convergence of applications, services, and developer teams – which are increasingly remote and must collaborate across markets and time zones – has only been possible because of application programming interfaces (APIs).
In the fintech industry, “open banking” has propelled the ubiquitous use of APIs across banking. According to a recent report, banks around the world are embracing open banking to meet customer demands, and more are offering APIs. Between 2020 and 2021, APIs offered per bank increased 17 per cent and one-quarter of banks and credit unions plan to invest in or develop APIs in 2022.
As the digital middleman between applications and digital environments, APIs play a critical role in the software supply chain, acting as the connection between fintech and financial services. The effort to attract new customers and keep existing ones by delivering additional value has created more application services and supporting APIs. Whether pursued as a compliance requirement or a business strategy, open banking has ignited financial services firms to focus on APIs and, importantly, on API security.
The Rapidly Growing Need For API Security
With the software supply chain, the fintech industry, and APIs increasingly being prime targets for attackers, fintech organisations need to prioritise fixing growing API vulnerabilities. To do this, it’s important to understand 1) how the role of APIs in the software supply chain has evolved and 2) the most prominent risks that exist within the fintech industry as a result of APIs.
The software supply chain has undergone many changes in how users access the data sources or applications they need. Before the introduction of APIs, the process of sharing information between applications required going through multiple layers of servers just to get to the data. The end-user was responsible for data security, even if it wasn’t part of their core business operation.
This process changed when cloud computing emerged and an organisation was no longer the sole custodian of the data. With the emergence of cloud computing also came a shared management model in regards to data.
APIs have matured from a tool in an SDK to an ecosystem of APIs connected to each other. This facilitated a number of changes in the software supply chain, including:
- Offering communication with data and processes in a more uniformed manner.
- Eliminating the space between the data and the user, speeding up processes and improving user experience.
- Providing more documentation transparency, which improves overall security risk assessment and offers new levels of agility.
Prior to the introduction of serverless APIs, the data model was more focused, often with lateral movement. APIs have introduced a lot of connections and nodes to get to the data itself, making them an appealing attack vector for attackers. When attackers gained access into this space, they could lay low until the opportune time approached to make their move undetected. There were too many access points and too many opportunities for credential compromise. This approach also made networks and VPNs more vulnerable.
Innovating Without Compromise: How To Securely Develop APIs
With the fintech industry, APIs, and the software supply chain emerging as top attack vectors, organisations need to take a proactive approach to securing APIs. The first step is getting a complete inventory of all APIs, including data classification and configuration details. Today, one of the main challenges with securing APIs is that most organisations have thousands of APIs that they don’t know about. Existing infrastructure, like API gateways and WAFs, don’t solve this “shadow API” problem. And businesses continue to deploy APIs with solutions that don’t fully address all modern threats and vulnerabilities.
After identifying and inventorying all APIs, they should be analysed for anomalies, changes, and misconfigurations. Leveraging artificial intelligence (AI) and machine learning (ML) for automated behaviour analysis helps to identify issues in real-time and prioritise them for review by security teams. Once these anomalies and misconfigurations are detected, organisations should implement tactics such as blocking API attacks in real-time and integrating with existing remediation workflows and security infrastructure. The final step is actively testing APIs to validate integrity before and after they are deployed to production, especially as the environment evolves through regular shipments of code or continuous integration/continuous delivery (CI/CD) deployments.
This last step is particularly important for the fintech industry, as many organisations have outsourced their API and mobile app development to third parties, many of which are using the same vulnerable code with their other bank customers. API security needs to be operationalised across more enterprises to ensure that vulnerabilities are detected and remediated before an attack. It’s not just the responsibility of a single team. Developers, DevOps, DevSecOps, and security teams need to standardise, collaborate, and communicate how they build, deploy, and secure APIs.
The use of APIs in the software supply chain is only going to continue to grow. For financial institutions, this means improved efficiencies and new opportunities to innovate; however, it’s important to remember that customers gain access to an organisation through APIs. And if customers have access through APIs, so do threat actors. Implementing a comprehensive software supply chain API security solution helps security teams understand the current security posture, secure traffic in real-time with runtime protection, and equip developers with the tools to test and secure APIs before they ever make it to production.
About Noname Security
Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20 per cent of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and Secure API SDLC. Noname Security is privately held, remote-first with headquarters in Palo Alto, California, and offices in Tel Aviv and Amsterdam.
Cameron Galbraith, Director of Product Marketing: https://www.linkedin.com/in/camerongalbraith/