Application programming interfaces (APIs) continue to pose significant security risks to all businesses. High-profile security breaches are happening constantly, and nearly all of them trace back to an API as the point of entry.
According to The API Security Disconnect 2023, 78% of cybersecurity professionals say they have experienced an API security incident in the last 12 months.
Twitter (now X) fell victim to an API breach in 2021 that exposed the private information of 5.4 million of its users. The following year, Dropbox experienced a breach as the result of a phishing scam, in which hackers gained access to its GitHub internal code repositories, as well as customer and employee information.
Countless other examples of API-enabled data breaches and cyberattacks just like these exist. These types of incidents will continue to dominate headlines and create financial and reputational damage for organizations until they sufficiently address API security. Organizations are accumulating financial assets with more sensitive information by the day, and robust API security plays a critical function in keeping it safe.
Thankfully, companies have taken notice, and API security is more of a priority than it was a year ago for many security professionals and IT decision-makers. Many view API security as a key business enabler.
This recognition and heightened awareness come at an opportune time. API security incidents are increasing year-over-year across many key industries, including healthcare, financial services, retail and ecommerce, and the government and public sector. This raises the question: What are the effects of this rise in API-related security incidents? The report found that it is causing problems like customer churn, loss of productivity, and incurred fees.
Let’s explore what makes securing APIs challenging, as well as tips and strategies any business can implement to better protect its banking data.
API Security: An ongoing Challenge
It’s no secret that modern enterprises heavily rely on APIs; they’ve become indispensable. In fact, API traffic now represents more than 80% of the current internet traffic. APIs serve as intermediaries, facilitating interactions between software components, whether within the same application, on the same device, or over a network. Unfortunately, APIs also act as both gateways and getaway cars for hackers aiming to steal private information, including critical corporate data.
Safeguarding APIs is challenging due to their pervasiveness. Data from 451 Research revealed that companies have an average of 15,564 APIs in use at any given time. For large enterprises with more than 10,000 employees, that number jumps to a staggering 25,592 APIs. Attack surfaces have expanded dramatically in recent years due to factors like digital transformation initiatives, the internet of things (IoT), and the shift towards remote work. As a result, most organizations are simply unaware of the extent of their APIs
Safeguarding Financial Data from API-Related Threats
- Close the API gap with real-time testing
One effective strategy to bolster API security is to ensure that APIs are secure from the outset. Most API defects—including security issues—are introduced during development, typically in the initial coding phase. It is far more cost-effective to identify and address vulnerabilities during the testing phase rather than after deployment, underscoring the importance of conducting real-time testing.
Financial organizations are increasingly adopting real-time vulnerability testing, with some conducting tests at least once per day. While this represents progress in closing the API gap, continuous testing will be critical for ongoing vulnerability elimination, particularly as attack surfaces continue to expand. Fortunately, modern tools have emerged to facilitate fast, efficient, and scalable API testing without adding undue burden on developers.
- Gain visibility into your API footprint
Many organizations struggle with a lack of visibility into their API footprint. Some admit to having only a partial view of their inventory, while others have a full inventory but lack insight into which APIs handle sensitive data. At its core, every organization requires visibility into its APIs to accurately assess risk and exposure levels.
The most effective approach is to leverage tools that create a comprehensive catalog of an organization’s APIs. This enables companies to identify APIs that interact with sensitive data and ensure they’re properly secured and monitored. Understanding the flow of sensitive data through APIs also aids in compliance with regulations such as PCI DSS, GDPR, and HIPAA.
- Designate an API champion
Determining responsibility for API security within an organization can be challenging. Is it the developers’ responsibility? Security teams? Product teams? Or perhaps a combination of these roles? Without a clear answer, oversights and suboptimal security measures may occur. Unfortunately, many organizations only address API security after experiencing the consequences of a breach.
Designating API champions or Centers of Excellence clarifies responsibility and empowers organizations to take a strategic and proactive approach to security. These designated individuals can assess the organization’s current security posture, identify vulnerabilities, and create a preemptive strategy. Additionally, they can serve as advocates, educating other teams on best practices to ensure that API security is integrated into every stage of the application development process.
As cybercriminals become increasingly sophisticated and attack surfaces continue to grow, API breaches are likely to become more prevalent. Therefore, it’s important for companies to prioritize API security now to safeguard banking and financial data. By implementing the strategies outlined above, businesses can effectively secure their attack surface and drive positive business outcomes.
