Introducing security into software through APIs

Application programming interfaces (APIs) can make life easier for software developers, allowing them to concentrate on what they do best and preventing them from being forced to fiddle with things they know little about.

Identity and Access Management APIs

APIs are also a great way to implement/enhance the information security aspects of a product. One good example of this are IAM (Identity and Access Management) APIs.

“An API receives so much data that it can learn from them and can improve results over time. Another important aspect is the fact that APIs, specially for web services, benefit from massive processing infrastructures, resulting in very fast responses, fast analysis of the responses and prediction capabilities, so some results can be automated,” Roman Foeckl, CEO at CoSoSys, explains.

“For example, by using IAM APIs you can build a login solution that can analyze the failures and can send alerts or automatically lock down the login process and wait for the human intervention for analysis.”

Data Loss Prevention APIs

Another great example are DLP (Data Loss Prevention) APIs.

DLP APIs analyze the data stored and processed by apps and they can centralize them. More specifically, developers can use this tool to analyze email volume. When a set threshold for credit card numbers, IBANs and similar sensitive data is surpassed, it can alert the manager in charge and the email server can put those emails in the queue until they are cleared for sending. This particular situation covers two plausible enterprise scenarios: malicious behaviour by an employee (i.e. insider threat), and attempts of data exfiltration by malware and botnets.

“An API can also be added to a network gateway that does content/file/packets inspection and that system can quarantine the data being sent. There are solutions that inspect and collect sensitive data from 98% of the file types used in enterprises,” Foeckl notes.

Using validated and widely deployed DLP APIs also guarantees that the technology will be up-to-date and on point, as these APIs are maintained by a team with the right skills and expertise.

Foeckl believed that many traditional applications, services and infrastructures that have not seriously addressed security aspects will make use of the fast-growing marketplace of APIs for security, wanting to maintain competitiveness and compliance.

“More APIs will be based on REST web-services and this will influence their interconnectivity, making them aware of their coexistence,” he says. “This will bring more value to the reports and actions taken on those systems, increasing their precision and resilience. For example, if the analysis system for user behaviour is down and there is no way of seeing the login failures, another system that monitors sensitive data traffic could alert that something bad is happening with the company’s data. This concept is similar to a failover scheme, but with different components.”

Another thing we can expect in the near future are self-sufficient APIs, or AI-driven APIs for security, he points out. “The most important aspect of AI in the API context is the ability to predict threats based on user behaviour and sensitive data collected and stored by applications and services. This will reduce data security incidents along with developments efforts and costs.”

Security APIs and the financial industry: A good fit

While payments systems and other components work with sensitive financial data in apps and services from non-financial industries, in the financial industry, monetary assets and critical PIIs (as well as financial records) represent the core of the business or the business itself.

The negative impact of any error introduced in financial industry software is bound to be great and, thus, developers have a greater responsibility to avoid them.

“Some of the critical errors that, unfortunately, are still seen out there: cross-site scripting flaws, input sanitization failures, the lack of containerization of banking accounts, flaws allowing private data to be available to other users, and so on,” says Foeckl.

To prevent them from popping up, he recommends more frequent code reviews, made throughout the software developing cycle. Additionally, all development teams should have a specialist in data security that can address the vulnerabilities and supervise in the adoption of secure coding standards.

“More importantly, the cyber security developer/engineer must identify and document security requirements early in the development life cycle. This helps building secure financial software as well as integrate security features as add-ons to the basic products, contributing to increased awareness for all stakeholders – customers, development companies, end-users, and others.”