Regulations and Standards Shine a Much-Needed Light on the Need for API Security

APIs have become integral to modern software architecture, and the digital economy has exponentially increased API adoption. However, with the rise of APIs, there has been a corresponding rise in API security risks. Capturing today’s headlines are API-origin data breaches that have compromised tens of millions of sensitive customer records. This dramatic increase in API-based attacks has caught the attention of regulators and standards bodies alike, giving way to various regulations and standards to ensure that APIs are secure and sensitive data is protected. This blog is a quick reference to catch up on the current API security regulations and standards. To allow each to maintain their respective level of importance, I cover them alphabetically.

CFPB Personal Financial Data Rights Rule (Proposed)

The Consumer Financial Protection Bureau (CFPB) proposed a rule in October 2023 that would accelerate a shift toward open banking, in which consumers would have control over data about their financial lives and would gain new protections against companies misusing their data. The proposed rule requires establishing and maintaining interfaces to receive and respond to requests for covered data. Screen-scraping is no longer an accepted method; APIs have replaced it. The shift to APIs requires conformity with security specifications, including access credentials, following information security specifications in section 501 of the Gramm-Leach-Bliley Act. Organizations covered by CFPB must ensure that data security practices are adequate to safeguard covered data. API security practices and solutions are key to complying with CFPB. Without a crystal ball, one cannot know when the rule will take effect; however, covered entities should not wait and begin securing their APIs now.

European Payment Services Directive (PSD2)

PSD2 mandates banks to share customer financial data with authorized third-party providers (TPPs) through secure APIs. Entered into force on January 12, 2016, this directive is one of the earliest to call attention to the need for API security. PSD2 is supplemented by regulatory technical standards on strong customer authentication and common and secure open standards of communication, as well as guidelines on incident reporting and security measures for operational and security risks. Beginning September 14, 2019, payment service providers must legally comply. I expect API security to have increased emphasis within PSD2 based on its 2023 evaluation report, wherein adoption has only partly been realized owing to fragmentation in the quality of application programming interfaces (APIs) and deficits in data sharing. European regulators will want to turn this around.

Federal Financial Institutions Examination Council (FFIEC)

In June 2021, the FFIEC issued the Architecture, Infrastructure, and Operations booklet, part of the series of booklets comprising its Information Technology Examination Handbook (IT Handbook). Within this booklet, the FFIEC addresses how covered entities should protect APIs, including authorization, authentication, and encryption of private, public, and third-party APIs. The booklet calls out that security needs for APIs should be assessed and implemented to mitigate risks of exposing sensitive customer or entity information, referencing the guidance provided by the OWASP API Security Project.

In August 2021, the FFIEC issued additional API protection directions within the Authentication and Access to Financial Institutions Services and Systems guidance. This guidance identifies the inventorying of APIs, effective mitigating controls for credential and API-based authentication, and secure management of API passwords.

National Institute of Standards and Technology (NIST) Special Publication 800-204

NIST SP 800-24, Security Strategies for Microservices-based Application Systems, is an analysis of multiple implementation options available for core features and configuration options in architectural frameworks, development of security strategies that counter threats specific to microservices, and enhancement of the overall security profile of the microservices-based application. This publication goes into depth about core API protection practices. Its importance is underpinned by many regulations referencing NIST as an accepted security baseline to comply with rules and regulations.

ISO/TS 23029:2020 Web-Service-Based Application Programming Interface (WAPI) in the Financial Services Standard

This standard, published in February 2020, defines the framework, function, and protocols for an API ecosystem that enables online synchronized interaction. Specifically, the document defines a logical and technical layered approach for developing APIs, including transformational rules. It outlines security, identity, and registration considerations relevant to an API ecosystem. Specific technical solutions are not defined, but they are referenced in the context of specific scenarios for guidance purposes. Like NIST, ISO standards are commonly called out in rules and regulations to achieve compliance.

OWASP API Security Project

Inaugurated in 2019, the OWASP API Security Project is an initiative by the OWASP Foundation to provide software developers and security assessors with strategies and solutions to understand and mitigate APIs’ unique vulnerabilities and security risks. The latest version of the OWASP API Security Top 10 in 2023 highlights APIs’ top 10 security risks that organizations should mitigate to protect APIs from cyberattacks. This new release added five new risks covering broken object properties, unrestricted resource consumption, server-side request forgery, lack of protection from automated threats, and unsafe consumption of APIs. OWASP has become a de facto standard for protecting APIs and is referenced by many rules and regulations.

Payment Card Industry Data Security Standard (PCI DSS)

Released in March 2022, PCI DSS version 4.0 explicitly includes considerations for API security within its standard. An API would come into the PCI DSS scope for any organization hosting an API interface to receive or transmit cardholder account data. Requirement 6.4.2 of PCI DSS standard version 4 calls for the continuous detection and prevention of web-based attacks. The solution should include an automated technical solution to protect public-facing web applications, including APIs. Requirement 6.3.2 calls for the security of bespoke software, including libraries and APIs.

U.S. Treasury Department API Guidance

In July 2018, The U.S. Treasury Department issued a report addressing the core principles outlined in Executive Order 13772, published in February 2017. Of particular importance is for financial entities to move away from screen-scraping to more secure access methods to reduce cybersecurity and fraud risks that can occur when consumers provide login credentials to access fintech applications. The report calls out the need to transition to an API method of instantaneously and safely transferring data.

Final Thoughts

Plenty of motivation exists to protect APIs; however, regulators and standards bodies have upped the motivation. Regulations and standards go hand in hand. Referencing an authoritative standard is a sound practice to ensure compliance with a regulation. I don’t expect the light to stop shining on APIs, as 2024 will likely bring more regulatory scrutiny around API use and security. When evaluating API security solutions, Cequence Security should be on your short list of vendors. They offer a free API security assessment to help you get started. Contact me here to share your thoughts on API security rules and regulations. If you want to keep up with my blogs on related IT security issues, go here.

About the Author

Tari Schreider, C|CISO, CRISC, ITILf, and MCRP, is a Strategic Advisor at Datos Insights specializing in SecOps, APISec, information assurance, and security program architecture. Tari is an author of top-rated cybersecurity architecture and law books and is a master instructor of chief information security officer (CISO) certification courses.