API Security for Financial Services

May 2, 2023 | by Tony Bailey

API Security for Financial Services

When it comes to the global financial services industry which includes banks, credit unions, exchange houses, finance companies, payment card issuers, and insurance companies, API security is a top priority. It only takes one data breach or persistent fraud because of an API exploit or abuse to damage an organization’s reputation and get the attention of industry regulators.

Financial Services Require APIs to Transact Business

APIs have become a core piece of the financial services industry, ensuring connectivity for mobile applications and peer-to-peer payment systems. APIs are at the center of open banking and enable companies to standardize how they connect and exchange data, allowing information to be instantly shared across organizations and third-party service providers. With a dynamically changing list of partners and technology suppliers, API connections are being continuously added to the financial ecosystem.

The problem is that ever-opportunistic attackers are paying attention to this vast and increasing number of API in use by the industry. They are exploiting incorrectly coded or configured APIs or leveraging business logic abuse such as stolen credentials to commit theft, fraud, and business disruption.

The potential top API vulnerabilities listed in the OWASP API Security Top 10 illustrate the opportunities for successful data breaches, and if attackers aren’t sophisticated, they can be relentless. And with financial services businesses, dealing with trillions of dollars, there’s money to be made.

It’s Complicated: Protecting Private, Public, and Partner APIs

Industry regulators are taking notice to promote standards for providing safe and robust APIs that can accelerate the adoption of financial services innovation yet at the same time, ensure API security and secure data. For example, the Federal Financial Institutions Examination Council (FFIEC) updated its cybersecurity guidance, calling out potential data breaches due to broken, exposed, or compromised APIs. This guidance describes a range of procedures to help financial institutions defend against API attacks such as inventorying APIs to identify potential vulnerabilities and reduce exposure. In other regions of the world, the Securities and Commodities Authority (SCA) is a federal financial regulatory agency in the United Arab Emirates and has issued guidance on the application of the key principles covering the use of APIs.

The problem is that trying to stay ahead of attackers means protecting APIs across the entire API lifecycle. These and other guidance call out the extent to which API protection is expected. They include conception and the formulation and design of an API; production and the development and testing of an API; publishing and the steps taken to make an API available for use; consumption and the use of an API; and retirement in terms of the withdrawal of an API from use.

The pressure to meet the requirement to protect APIs in the financial services industry is compounded even more when considering the several types of APIs must be protected. They include private APIs used within an organization to provide interoperability between internal applications to help transaction automation and provide flexibility. In addition, there are partner APIs used to integrate software between a company and its partner, often for a specific purpose such as providing a product or service. Last, there are public or open APIs designed to be easily accessible by the wider population, regardless of whether a business relationship has been established or not.

API Security and the Need for Proactive API Protection

Traditional approaches to security won’t work for API security in the financial services industry. For example, the industry is required to meet unique data security requirements such as Payment Card Industry Data Security Standard (PCI-DSS) that focus on protecting data both at rest and in motion. In the financial services industry, substantial amounts of data can be stored on devices that are not transferred from device to device or network to network. It includes data stored locally on computer hard drives, archived in databases, file systems, and storage infrastructure. Yet, facilitated by APIs, data can also be moving from one location to another, whether it’s between computers, virtual machines, from an endpoint to cloud storage, or through a private or public network. This movement and storage of data, helped along by APIs, means that protecting APIs from attack and abuse, and consequently detecting data exposure can be much more complicated.

Why is API Protection Such a Problem?

First, most organizations are unaware of how many shadow, hidden, deprecated, and third-party APIs they have, leaving many unprotected. Cequence Security has reported that over 50% of APIs are unknown or shadow APIs and 31%, or five billion of 16.7 billion malicious transactions targeted unknown, unmanaged, and unprotected APIs. Second, developer errors, lack of best practices, or improper training can lead to vulnerabilities easily exploited by bad actors. Third, even perfectly coded APIs can lead to data breaches and disruption from automated attacks and business logic abuse.

Traditional approaches to API security include web application firewalls (WAFs) that use signatures to detect known vulnerabilities as described in the OWASP Web Application Top 10 Threats list. WAFs will struggle to find and block API attacks that appear legitimate, and they are unable to address the visibility, inventory tracking, risk assessment and threat prevention requirements necessary to protect APIs. API gateways are reactive in nature, requiring developers to register the APIs to be managed. Often deployed within the infrastructure, at a department level, or in a cloud environment, API gateways are inadequate tools for gaining complete visibility, inventory tracking, risk assessment, common security policy enforcement and threat prevention requirements necessary to protect APIs.

Ensure API Protection for the Financial Services Industry

For the financial services industry what’s needed for API protection is a way to constantly discover all APIs, and then inventory, assess, and fix the broken ones. Next, there needs to be a way to ensure that an organization can comply with API coding specifications, along with industry guidelines and regulations. Finally, and perhaps most importantly, there needs to be a way to protect all APIs from automated attacks and business logic abuse. In fact, the proposed OWASP Top 10 API Security Risks for 2023 reinforces the need to address automated attacks specifically calling out “Lack of protection from automated threats” as a top ten risk.

This discover, comply, and protect approach will result in the strongest API protection for the entire lifecycle.

The good news is that Cequence Unified API Protection covers all the bases. In fact, it’s a one-stop location for all things API protection.

With the Cequence approach you’ll continuously discover APIs using machine learning-based attack surface discovery. Pre-defined, imported or dynamically generated API tests helps security and development teams quickly comply with specifications and regulations by uncovering and remediating API vulnerabilities including OWASP API Top 10 risks. Vulnerabilities are detected with enhanced detection capabilities and layered with deep contextual analysis. The solution leverages monitoring, profiling of APIs, and applications to protect from API-related threats.

Cequence Unified API Protection – API Security

The Cequence approach to API protection helps enable a collaborative effort for API security that includes developers, application owners and the security team to accomplish the following:


Gain an understanding of your public-facing API footprint to see what an attacker may see. In addition, complement an external view of your APIs in your network and related resources with a comprehensive inside-out API inventory, including all existing APIs and connections.


Continually analyze existing and new APIs to keep them in compliance with specifications such as the OpenAPI specification and ensure high API coding quality, consistency, and governance. And with ongoing API testing you’ll integrate API protection into development to complement API security efforts within the organization, so risky code doesn’t go live.


Even perfectly coded APIs can be attacked, so it’s critical to continuously scan your entire API inventory and API traffic for threats, including your API transactions for subtle business logic abuses and malicious activity that has not yet been observed. Then, it’s critical to be able to respond quickly and natively with countermeasures such as alerts, real-time blocking and even deception, without the need for added third-party data security tools.

Unified API Protection is different from fragmented or incomplete API protection offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle. In the financial services industry, security teams deploying Cequence Unified API Protection (UAP) enable their organizations to help protect customer data and quickly block API-related fraud activity.

API protection is important to ensure the security of financial transactions and the privacy of individuals. Financial companies must protect sensitive information such as personal and financial data. Failure to do so can have profound consequences for both the financial company and its customers. Therefore, it is important to ensure that APIs are protected throughout their lifecycle.

Get Started Today with the Cequence Unified API Protection Solution.

Get a Free Security Assessment of your API attack Surface

Tony Bailey


Tony Bailey

Senior Director of Product Marketing

Additional Resources