Financial service providers, such as banks and credit card companies, use a vast amount of APIs, which makes them an attractive target for threat actors. That’s why API security is essential in the fast-changing business world of financial institutions.
In a podcast with L7 Defense, Sandy Carielli, Principal Analyst at Forrester Research, presented the latest numbers. A recent survey showed that 28% of respondents who work in the financial services industry are making improving their application security a top priority.
In the financial services space, 70% of the respondents are already in the adoption phase, and 16% are planning to do so within 12 months. API security is adopted at different stages of the life cycle with a fair amount in development testing and production.
With the digital transformation, banks need to share their APIs with e.g., FinTech companies. This, combined with the regulatory requirements, require not only a different mindset, but basically a rewrite of their 100-year-old DNA. They need to adapt to the new reality that any vulnerable API, flawed DevOp cycle, or malicious activity can result in a breach. Although many financial institutions are aware of the need for API security to support their new corporate reality, they do not really know how to approach it and especially with which tools. A lot of organizations are still trying to learn this.
At a technical level, the idea is to have one unified solution. As Tomer Nuri, CEO & Founder at The Cyber Edge, stated: “Since APIs drives so many cyber events, we will see API security as part of the main cyber defense, but the market still needs to catch up. APIs are building blocks. This has shifted the security focus from the whole application (including API) to the APIs themselves.
In the API security domain, financial organizations are looking for tools that handle the whole lifecycle. Furthermore, financial institutions are obligated to comply with very strict regulations. That makes APIs a big deal, since they are often overlooked in the process. There are quite a lot of APIs that were developed and even went through a PoC process to then be abandoned and forgotten. As Robert Wines II, CISO at NewWave, pointed out: “Since APIs are often forgotten. Metrics are required to be able to state with confidence that all aspects and components, including APIs, are secure.”
This means looking closely at each API in the context to understand what it does. Large amounts of APIs are developed by different developers, different teams, for different purposes, which raises security control concerns. “If they’re not consistent, we have holes”, Colin Jaccino, API & Security Specialist at EPAM Systems, pointed out. That’s why tools on the producer side are coming together with security being integrated with the process and engaged at a deeper level.
When talking about zero trust, this means that “Just because of your location or your particular title, it does not mean that we trust you, pure and simple.” Security tools that are behavioral-based, heuristic, are preferred over signature-based ones since they offer a higher level of security. An API security solution should not be an extension of another security solution (such as a WAF solution), but needs to be an integrated part of the cybersecurity arsenal.
Currently, API security is, to some extent, still the Wild, Wild, West with new approaches and new solutions popping up. The type of API security that a financial organization will deploy depends on its level of API cybersecurity maturity, in-house expertise, range of API users, and the cybersecurity solutions already in place.
Financial institutions, their security staff, and regulatory authorities are catching up with API security, making it a priority to cover the whole API development cycle. With threat levels rising, API security providers, such as L7 Defense, provide the right technology and offering to enable financial institutions to identify and mitigate cybersecurity threats aimed at their organization.
To learn more about API security, contact us at firstname.lastname@example.org. To watch the full podcast API Security in a fast-changing business world, click here.
In this podcast, organized by Forrester Research and L7 Defense, a panel of experts, consisting of Sandy Carielli, Principal Analyst at Forrester Research, Yisrael Gross, API Security Co-founder at L7 Defense, Colin Jaccino, API & Security Specialist at EPAM Systems, Robert Wines II, CISO at NewWave, and Tomer Nuri, CEO & Founder at The Cyber Edge, discussed API Security in a fast-changing business world.