Securing APIs Key to Protecting Information

Application programming interfaces, aka APIs, make financial institutions and fintechs run in today’s economy. However, because of their significance and capability to deliver access to information and assets, they are also frequently the focus of attackers unless protected.

APIs, as a major open banking driver, have continued to gain relevancy and prevalence within the finserv community as they help enhance real-time banking capabilities with greater cash flow availability, reduced administrative obstacles and a more comprehensive view of personal finances. 

While financial organizations use APIs in increasing numbers, vulnerable and unprotected APIs could potentially expose sensitive financial, and personal data. Because API development often encompasses multiple teams and iterations, protection is often an afterthought or at least not a priority. It is vital, therefore, to understand the vulnerabilities.

Where Are API Vulnerabilities?

With fraudsters finding more opportunities to infiltrate web-based applications, organizations scuffle to stay ahead of them. The 2021 Verizon Data Breach Investigations report found attacks on web applications continue to be high. They are the main attack vector in hacking actions, with over 80% of breaches. 

The Open Web Application Security Project (OWASP). a nonprofit foundation that works to improve the software security warned, “By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”

OWASP cited some specific risks in its latest list of vulnerabilities including:

• Broken object level authorization. APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface level access control issue. every function that accesses a data source using an input from the user should consider object level authorization checks.
• Injection flaws. Flaws during SQL, NoSQL, command injection occurs when sending untrusted data to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
• Insecure design. Organizations cannot fix insecure designs that do not contain needed security controls to defend against specific attacks.
• Security misconfiguration. Can happen at any level of an application stack including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. 
• Insufficient logging and monitoring. Coupled with missing or ineffective integration with incident response, this allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Other types of vulnerabilities include authentication mechanisms often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws; APIs that do not impose any restrictions on the size or number of resources requested by the client/user; and attackers counting on complex systems having multiple weak spots. 

Providing APIs with RESTful Security

Financial institution API weaknesses may spring from core processing, loan origination, account opening and other systems, as well as other fintech solutions, switching from Simple Object Access Protocol (SOAP), the longtime standard method for web service interfaces, to Representational State Transfer (REST), which in recent years characterizes the overwhelming number of openly available, public APIs currently in circulation. 

Both SOAP APIs and RESTful APIs expose data over HTTP requests and responses, but deploy dissimilar formats, and as a result involve distinctive security anxieties.

REST, not a protocol or a standard, uses a set of architectural constraints and relies on the HTTP protocol and JavaScript Object Notation (JSON) data format to send and receive messages. Developers consider REST APIs (aka RESTful API) as lightweight, with less bandwidth, and built to manage multiple data formats. Plus, it is easier to use than SOAP, which uses specific requirements like XML messaging, fixed security and transaction compliance that make it slower and weightier. 

Some enterprises continue to integrate SOAP APIs for certain use cases. So, it is important to align with integration companies that can identify the different needs especially in terms of security.

NXTsoft Provides RESTful Fintech Solutions

Bundled API solutions, complete with RESTFUL APIs, serve as easy on and off ramps to superhighways of financial information. They can also deliver secure APIs to financial institutions and fintechs in a faster time-to-market for open banking solutions. 

RESTful APIs allow financial institutions to simply integrate their prevailing legacy technology as well as to API gateways, identity and security management solutions such as NXTsoft’s OmniConnect Platform. OmniConnect APIs use REST principles as a foundation, along with resource-oriented URLs and HTTP response codes. All API responses return in JavaScript Object Notation (JSON) formats.

NXTsoft’s OmniConnect Platform provides secure open APIs for the digital infrastructure needed to build and scale any fintech application in banking, savings, wealth, financial wellness, and insurance. The platform provides a ready to go API Framework, that also includes the base functionality to authenticate, onboard clients and accounts, and store and process data, which all other APIs in the OmniPlatform can utilize. 

In addition, other NXTsoft resources help protect the API ecosystem:

• OmniEncrypt uses a Cisco Meraki next-generation firewall (NGFW) at each client site to establish a secure connection to the OmniConnect Amazon Web Services (AWS) connection, which uses strong encryption and authentication methods. Together with the Meraki NGFW, OmniEncrypt uses a load balance appliance at the client site to securely route traffic to the core system, and provides 24/7 monitoring of the solution. 
• OmniAlert provides an additional layer of cybersecurity to NXTsoft’s secure APIs. OmniAlert monitors API security logs 24/7; provides an additional layer of cybersecurity to NXTsoft’s secure APIs, reports anomalies and suspicious activities with the aim of organization a chance to take immediate action. A U.S.-based Security Operation Center (SOC) ensures that financial institutions experience safer networks, earlier detection of intrusion and relevant and specific threat intelligence.

NXTsoft’s solutions help fintechs and financial institutions, connect and optimize their data to maximize revenue opportunities, enhance profitability, and mitigate cybersecurity risk. Many financial institutions, enterprise and government entities struggle to manage data loads, networks and data security. 

Stay Connected with these Related Resources from the NXTsoft Blog

Introducing NXTsoft's Connectivity as a Service

Eliminate Manual Entry With NXTsoft's Connectivity as a Service

APIs are Connecting the Business World

API Security Is Important