It’s simple: the probability of being under cyber attack is 100%. From a Cyber Defense perspective, you have to be right all the time, at the contrary your adversary has to be right only once. Due to the nature of API’s, and their application
in a financial context, the impact of exploiting a vulnerability could be huge. Imagine a flaw would let attackers execute financial transactions with a <Null> authentication.
With high probability and high impact, the risk is very high that API’s in the
PSD2 era will enable a New Normal in Bank Robberies. Not IF, rather WHEN and WHO.
Happily, there is already a lot of material available on the topic of API security. Consult the
OWASP Body of Knowledge for Secure Coding Best Practices, adopt Continuous Testing using
SecDevOps Best Practices, SecDevOps frameworks (such as BDD) and tools. Look at Software Security the same way a Quality
Assurance Manager would look at a production plant in Automotive or in Pharma. From a QA perspective, you should consider the
ISO/IEC 25010 Software Product Quality Standard, featuring Security as one of the eight quality characteristics.
On top of all the well documented Best Practices and Standards, I would like to highlight two additional focal points for Fintech companies to look at while developing their APIs.
1. Consider new AI-based approaches in vulnerability scanning.
The traditional approach to software security testing is to engage in extensive (often manual) penetration tests, then plug the holes found, and with every new release start all over.
Extensive quickly translates to Expensive, as a reality check
reveals a big gap between supply and demand for penetration testing skill. There is upward pressure on the price while the quality of the service delivered is being diluted as many penetration testing “tourists” enter this lucrative market.
In 2016 the US Defense Advanced Research Projects Agency,
DARPA, hosted the world’s first
AI hacking tournament in Las Vegas. Results were astonishing. Not just that vulnerabilities were found that humans hadn’t discovered yet, also the speed at which this took place was simply mind-blowing. With such heavyweight focusing one can expect a rapid
uptake of ML and AI in vulnerability testing.
My advice is to scan the market for new emerging offers of vulnerability scanning solutions that leverage Machine Learning and Artificial Intelligence, and in parallel to your current manual efforts, start testing and adopting such solutions as early as
possible.
2. Know what’s under the hood
When I mention the
Heartbleed Bug to developers (a critical vulnerability in the OpenSSL library), most go “Oh Yes”, but when asked if they exactly know the whole decomposition tree of every single software library component that is part of their end-to-end service,
most don’t have a clue, although they better should. For example, many libraries used for authentication and integrity have been crippled by nasty bugs. Think of the
Infineon-developed RSA Library version v1.02.013, which lead to Estonia having to
reissue over 750,000 certificates, part of their National ID scheme. Or the
2014 GnuTLC bug which allowed a Man-in-the-Middle attack due wrong behavior during a TLS handshake.
My advice is to keep track of all dependencies and track vulnerabilities in all underlying components. OWASP has a project called
Dependency-Check aimed to do just that. Then make sure that whenever a library is vulnerable, you have an established and tested remediation plan. Such a plan should include a process how to issue critical software updates, a communication plan, security
operations to be involved and if possible try simulate the exploitation of the vulnerability, resulting in useful Indicators Of Compromise that can be shared with internal and external InfoSec stakeholders.
API Security is crucial in providing trust in the new Digital Fintech ecosystem. I believe this is a shared responsibility. Please share your views and experiences in the Comments.