FinXTech Intel 2023 report final 2 - Flipbook - Page 23
•
Confirm that the third party’s escalation and notification processes meet the banking organization’s expectations and regulatory requirements.
The API Problem
One area of particular focus for bank security professionals
Wib Security has created a sample of inbound ques-
as their institutions explore digital transformation is the
tions that regulators and auditors may ask bank
security and ongoing monitoring of their API connections.
security professionals. This is a condensed version.
APIs can ease the work required to install and integrate new
technology for banks, but they’re increasingly an attack surface that malicious actors target to enter a bank or technology vendor. Herrin of Wib Security says he routinely encounters chief information security officers or other bank security
professionals who severely underestimate the amount of APIs
their bank is currently using — and as a result, are not monitoring the activity or traffic of those connections.
1.
Who owns API security for our company?
2.
Do our APIs have owners assigned?
3.
How much of our revenue comes through
APIs?
4.
How many APIs do we have?
5.
How many of these are actively used, and
how many are dormant?
6.
Do our penetration tests adequately cover
API vulnerabilities and attacks on business
For more on open banking, flip to page 22.
logic in production?
7.
regulatory compliance?
There are four major challenges that banks undergoing digital transformation face, and four ways they can make their
8.
9.
Like other aspects of risk management, banks can
outsource some of the day-to-day responsibility but not
accountability, he says.
2. Ensure the security team has visibility into the API
environment. Examine the boundaries of the tech stack
— where a user or data might move from a database
Are we seeing any malicious traffic? On
which APIs?
institution more secure from malicious attackers, Herrin says:
1. Identify who is responsible for the security of the APIs.
Which of our APIs are subject to legal or
What is our overall API security risk? Is it
improving or worsening from this time last
year?
10. Are there some development teams that
produce more API issues than others? How
are they trained and given feedback on API
security issues?
11. Is there a vetting process for code and
to a server or from a server to the internet — for four
API changes before they go into produc-
things: assets, actors, interfaces and actions. Herrin
tion?
calls it, “Who’s doing what to what, via what?” This
helps security teams establish the environment’s normal expected state.
3. Use tools to model and close identified threats and vulnerabilities, and track API traffic.
4. Manage the pace and change of API developments.
12. Who gets alerts on security events detected against our APIs?
13. What is the average response time in minutes when a broken object level authorization (BOLA) attack is detected against one
of our production APIs?
API adoption has outpaced most companies’ ability
to monitor it, with weekly or even daily changes, and
banks may need to find ways to automate aspects of
this work.
Kiah Lau Haslett is managing editor of Bank Director.
FINDING FINTECHS: HOW DO YOU DECIDE? | 21