I am very excited to partner with Cequence for a three-part blog series and webinar on the top-of-mind subject of API security in financial services companies, fintechs and insurtechs. At Aite-Novarica Group, we initiated coverage of the API security space in 2019. At that time, we learned very quickly that API security knowledge was extremely low. In our conversations with chief information security officers, security architects, application developers, and security operations professionals we saw consistently that IT professionals – and particularly security teams – had very little visibility into the number of APIs traversing their networks. We embarked on a campaign to raise API security awareness through research, reporting, and a series of well-attended webinars. In 2020 we continued the journey and focused on how APIs are created and managed. We examined secure coding principles and interviewed more than 50 developers and security professionals at 31 financial services companies, fintechs and insurtechs. This led to our report on “Best Practices in API Security”, and we assessed the level of API Security as very low in several areas including API security testing, training for developers, and management of 3rd party APIs. Some telling numbers from our interviews and research:
- Nearly half of the companies had no inventory of the APIs they produced or just an approximate count
- More than two-thirds of the companies indicated that they did not perform specific API security testing
- Only one of the 31 companies had a designated API security point of contact
We’re very happy to report that since 2019 the level of API security awareness has significantly improved, and we’ve seen both industry body and vendor initiatives to get API security on the radar of CISOs – particularly in financial services. Our follow-up conversations now start at a very informed level and it’s evident that cybersecurity professionals have become very conversant on both threats and defenses. Bravo. We’ve also seen a raising level of API security maturity by software developers, and we attribute part of this to increased sensitivity related to high visibility supply chain attacks (e.g., SolarWinds) and refreshed software assurance programs.
But we’re not done yet. API use continues to explode as more and more organizations dive into microservices, cloud workloads, open banking, and digital transformation products that use APIs to deliver new user experiences. APIs are here to stay. We’re still seeing a constant cadence of API related security breaches but overall, the market is on a good trajectory. But we must do more.
APIs are complex and it’s very easy to make mistakes related to authorization, authentication, and disclosure of too much information to attackers by way of error messages. For this reason, we are recommending specific API Security solutions that can complement, perhaps even strengthen shift left practices of secure API coding, API security testing, and API management. These API security products can shield the right, acting as an additional and important part of an organization’s API security defenses. We’re currently examining innovations related to API runtime protection and our initial analysis is that this is a viable method to limit exposure that might be introduced by API coding flaws or missteps in API management. Stay tuned as API security continues to be on our Hits List for 2021 and beyond.
If you have not embarked on an API security improvement journey, now is the time to start. I’ll be covering additional aspects and recommendations in upcoming blogs and a joint webinar with Cequence “Shielding Right to Strengthen Shift Left: Here’s How” on October 6th.
Joseph has been a cybersecurity analyst since 2019. He’s worked in information security for more than 45 years. His previous roles include operations officer for the U.S. intelligence community, a CISO at large publicly traded companies, and a cybersecurity strategy consultant for Accenture and PwC. He has worked in 115 countries, and he’s keenly interested in disruptive and emerging cybersecurity technologies.