In financial services, data is a primary raw material and a source of value to both providers and consumers. For many FinTech companies, their entire business models are built on the exchange of information.
For example, financial organizations collect and refine financial data and make it available to investors looking to buy stock or trade currencies. Companies such as Coinbase, Robinhood, and E-Trade utilize that investment data from third parties to make it available to their clients. APIs are at the heart of these important data exchanges.
How prominent are APIs?
APIs are increasingly the way FinTech business partners – internal or external – exchange and monetize data and services. APIs allow machine-to-machine data retrieval, essentially removing barriers and accelerating access to data. Most all applications today provide an API to integrate with other applications and data sources. Today’s typical mobile app uses an average of 10 to 15 APIs to move meaningful data into and out of the app.
FinTech DevOps teams readily embrace APIs to produce applications rapidly. APIs, however, are largely unknown to security teams that must ensure rapid data exchange does not create unnecessary risk and negative exposure.
Since insecure APIs have led to very serious data breaches, FinTech security teams are right to question the vulnerabilities and threats posed by APIs.
For example, the mobile payment app Venmo has exposed sensitive details of hundreds of millions of transactions through a poorly secured API. In another case, an insecure Panera Bread API used by a mobile app exposed users’ private details through a searchable API that required no authentication to access. As a result, as many as 37 million records, which included customer personal information identifiers (PII) all in plain text were exposed.
DevOps and security teams agree that a data breach is completely untenable. Thus, designing and applying security across all APIs and applications is an essential function to protecting data and brand. There are important steps for automating a FinTech API security program without needing additional security staff.
The challenge of securing APIs
The very nature of identifying all APIs makes it a challenge to secure them A developer can create an API in a matter of minutes and publish it on the Internet, while making changes to that API as often as she wants. It’s not unusual for a developer to change her API weekly or daily, and every change potentially introduces new risk.
Referring to a financial services company that sells data to stock brokers, suppose the developer made a change to her API that unintentionally enabled the brokers to see client lists of other brokers that consume data via the API. That would be a catastrophic breach – but it’s the type of API breach suffered by the US Postal Service a year ago.
APIs today are increasingly built on serverless infrastructure such as Amazon Lambda, Azure Functions, and Google Cloud Functions. Traditional firewalls, gateways and agents can’t protect this type of API built on ephemeral infrastructure. Consider that a large FinTech organization might develop and/or use hundreds or even thousands of APIs, and the magnitude of securing every API becomes obvious. Manual oversight and enforcement are simply out of the question. Continuous automation of security assessments is the only scalable approach.
Every FinTech organization that creates or uses APIs needs an API security checklist that consists of the following three steps:
Step 1: Know what APIs are in use and what they are intended to do
Collecting FinTech API specifications is an important first step in understanding what APIs are intended to do. However, many APIs exist without any specification.
A service can help organize API specs, however, this service needs to also continuously monitor and discover new APIs. It’s common for a developer to document her API’s spec initially, but updating that documentation every time she makes a change is rare. The FinTech organization needs to have an automated tool that gathers this information and makes note each time an API changes, and accordingly updates the API specification.
There are tools that can automate these various activities, including discovering new APIs and changes to existing APIs. These tools can also uncover other cloud resources and data services related to these APIs; enumerate API domains, functions, and associated methods; and generate a standards-based (Swagger, OpenAPI v3) spec if one does not exist.
Step 2: Analyze the APIs for security threats
The next step is to perform a security inspection on each API operation every time it changes. The security team needs to know: Does it have the right data encryption? Is proper authentication in place? What type of authorization policy is being applied? What is the API’s level of availability? What kind of data sources does it access? Knowing each API’s current security posture is critical if the organization wants to avoid a data breach.
This API analysis needs to take place continuously and at scale, since manual processes are ineffective for organizations using numerous APIs. Fortunately, there are tools and technologies that automate this process and perform tasks. The tools can also generate recommended changes for developers to remedy their respective API problems, and alert security personnel when there are discrepancies between the API specification and its functional operations.
Step 3: Create and enforce security policies
If there’s one aspect of creating a FinTech API security program that can be manual, it’s policy creation. Automation should however be used to enforce the policy. A security policy for APIs should start with two primary questions: Who should be able to utilize the API? And what level of sensitivity, regulatory oversight, and/or privacy concerns does the API have? Based on the answers to these questions, you can form the basis for the security policy.
For example, a bank has an API that provides transaction statements for a specified account. That API has access to extremely sensitive and private information for each customer. One customer should never have access to another customer’s account statements. Therefore, the authentication, authorization, encryption, and availability of that API would be set to the most restrictive security standards available to ensure data exposure is tightly controlled. Another API may provide the current interest rates of savings and money market accounts. This is data can be share with anyone interested in opening an account. In this case, the level of security restriction would be lowered to support a wide variety of systems, browsers, SDKs and apps to ensure this information is highly available.
Automation is key
FinTech security teams are notoriously overworked and short-staffed. Worldwide, there’s a dire shortage of skilled security professionals, so adding additional staff to build and execute the API security program isn’t practical. Bringing in consultants is expensive. Automation through tools and technology makes a sensible approach.
Automation provides the benefits of saving time and money when it comes to executing the three steps outlined above. What’s more, an automated program provides consistency in the repetitive tasks necessary to discover, document and analyze APIs in use, and enforce corporate policies to control risk.
APIs are critically important to modern FinTech applications. DevOps people heartily embrace them, and security teams can learn their value once they understand how a robust and continuous API security program will benefit their organization.
Doug is the Chief Operating Officer of Data Theorem. He heads up product strategy, marketing, sales, and customer success teams. Before joining Data Theorem, Dooley worked in venture capital leading investments of cloud-centric security, machine-learning, and infrastructure startups for Venrock. While at Venrock, Dooley served on the boards of Evident.io (Palo Alto Networks), Niara (HPE), and VeloCloud (VMware).