In the world of financial services that encompasses banks, credit unions, payment card issuers, and insurance companies, safeguarding API security stands is a paramount concern. A single instance of a data breach or ongoing fraudulent activities resulting from API exploitation or misuse can significantly tarnish an organization's standing and draw the scrutiny of regulatory bodies.

In the second half of 2022 alone, abuse attempts against shadow APIs increased by 900% with approximately 45 billion search attempts made for shadow APIs, up from the 5 billion attempts made in the first half of 2022. With threats only escalating, organizations have turned to various cybersecurity frameworks like those from the National Institute of Standards and Technology and the Open Worldwide Application Security Project.

While leveraging these frameworks and lists as a guide is a great starting point for financial organizations to secure APIs, these companies must work towards gaining complete visibility into APIs to have a greater awareness of the types of threats they may face and the relative risks.

Why APIs are Critical to the Financial Sector

APIs have become the backbone of the financial services industry, ensuring connectivity for mobile applications and peer-to-peer payment systems. An integral aspect of the open banking revolution, APIs empower and standardize how businesses connect and exchange data, enabling the swift sharing of information between various organizations and third-party service providers. The financial ecosystem is constantly evolving with an ever-expanding roster of partners and technology suppliers, steadily expanding the network of API connections.

Although with this growth, threat actors are paying close attention to the use of APIs across the industry. They actively capitalize on poorly coded or misconfigured APIs, as well as exploit business logic vulnerabilities such as stolen credentials, to commit theft, fraud and business disruption.

Understanding the OWASP API Security Top 10 List

The OWASP API Security Top 10 is an integral component of how organizations understand API protection from automated attacks and vulnerability exploits. With the latest version released this year, this list is a standard awareness document for developers and web application security that represents the most critical security risks to API ecosystems. 

The OWASP API Security Top 10 list highlights risks to APIs that could lead to data breaches, offering a glimpse into the avenues attackers may exploit. Given the enormous sums involved in the financial services industry, amounting to trillions of dollars, there is a significant incentive for attackers to capitalize on these opportunities for financial gain.

For example, the 2023 updated list emphasizes the importance of tackling automated attacks, prominently identifying the lack of protection from automated threats as one of the top risks organizations face today. Actors using bots to abuse APIs has been a persistent threat for years, and the community has understood the risks present against perfectly coded APIs with no vulnerabilities, but which simply protect valuable data. The financial industry is one where this risk is most clear due to the value being protected.

Laying a Solid Foundation to Securing APIs

While the new API Security Top 10 may not be perfect, it does show exactly what has been known for several years now. The landscape of API security is changing, and organizations need to change with it.  Whether it is knowing where your organization’s APIs are, testing them for flaws or mitigating bots attacking your unknown flows, API security needs to be a focus for the financial sector, and this new list is a great place to start.

To safeguard against the risks outlined in the API Security Top 10 and beyond, it is crucial to embrace a comprehensive approach to API security that encompasses the viewpoints of attackers, defenders and developers, as well as governance, risk, and compliance (GRC) officers. Each perspective brings distinct aspects that must be addressed to establish a well-rounded security posture. By adopting a comprehensive approach to API security while taking into account the API Security Top 10, the financial services industry can enhance the protection of their systems and data against evolving threats.