BlogApplication & API SecurityConsulting ServicesApplication ServicesFinancial ServicesCloud SecuritySoftware DevelopmentSecurity OperationsCybersecurity Risk & StrategyWWT ServicesCloudSecurity TransformationDigital
Blog11 minute read

API Security Fundamentals: An Introduction (and What Does the Super Bowl Have to Do With It?)

Let's delve into all things API security, particularly aimed at global financial institutions. Here, I cover the basics and provide an overview of WWT's approach (with a Super Bowl-themed twist). Next, I'll cover API discovery; then API focused threat detection, prevention and response; and lastly, API security testing and validation.

In this blog

What an exciting weekend of NFL conference championships! The big game is set.. Cincinnati Bengals versus Los Angeles Rams for the 2022 NFL title. I don't have a favorite team in the big game this year, so as I look ahead to the Super Bowl 56 I am getting excited for the new commercials that will debut this year.

Reflecting back, the 2009 Super Bowl 43 really stands out to me. Not because I remember who won, and not because I am a fan of either team that played. It's because of one precise moment in the airing of that game that would go on to change us all forever.

Regarding the details of the game, I had to ask Siri for a refresher. Turns out, Super Bowl 43 was played in Tampa, FL, at Raymond James Stadium between the Pittsburgh Steelers and Arizona Cardinals. It was the 6th title for Pittsburgh, and it was the last game to feature the legendary late John Madden as TV commentator. That is monumental all on its own. But then came the debut of a commercial with a tagline so influential, it would have us all parroting these five words ever so regularly…all while the cybersecurity industry was quietly being turned upside down. 

There's an App For That

With that simple phrase, a mobile phone for talking and texting with a tiny browser and basic media player became smart, and would later become a way of life. 

There's an App for That, a phrase that sums up one of the biggest technological turning points in human history, was coined 13 years ago (crazy, right!?). Six months prior, in July 2008, Apple launched their app store to the delight of early iPhone owners, but when that commercial aired during Super Bowl 43, the rest of the nation saw exactly what they were missing.  

Now, everyone wanted to get their hands on these new apps. Those little icons were the keys to instant, ubiquitous consumerism and a uniquely personalized digital user experience. That phrase sparked a major transformation in the way we live our lives and thus upended an entire industry.

By July 2009, 65,000 apps had been published and made available to consumers in 77 countries. In just the first 12 months of operations, the app store fulfilled more than 1.5 billion downloads.

 Enter application security

Lucky for guys like me, the public eased into their app usage with the mundane, so security wasn't too grave a hassle (yet!). In that first year, most apps downloaded were GPS/map services and games. Back then, users still accessed financial information on their bank's mobile website via browser. People were very happy with MLB Live's finger batting, talking to TomTom and not having to print out MapQuest directions. At this point, when it came to concerns about mobile risks, consumer data breaches or financial threats, security teams were focused on the monolithic web applications. 

Since then, the usage of apps has grown tremendously and so has the consumers' insatiable need for newer, better, more convenient apps. As a result, app development within the enterprise must keep evolving at a pace that meets new requirements for continuous integration, agility, speed, etc. The banks, of course, must also evolve and scale app development to comply with market demands, which calls upon cyber security teams to rapidly grow application security engineering and operations.  

With firsthand experience, dare I say expertise, I can tell you that application security in banking was always a bit of a challenge, and for obvious reasons. Yet, with the right strategy and tools it was manageable. Then came the global pandemic in 2020 and everything changed.  By mid-2021 we saw a shift—most likely a permanent one—in the way consumers managed their finances: digitally and preferably on their phones.  Accordingly, cyber security teams had no choice but to prioritize and scale application and API security strategies.

With the mobile app now being the primary way consumers do banking and investing, the digital banking experience became the most important factor in a bank's ability to attract and retain its customers. In fact, according to a Mobiquity 2021 Survey, while 28% of those aged 55 and older listed a better in-person experience as one of the top three things that would cause them to switch banks, only 17% under the age of 55 showed concern for the in-person experience. In the same report, 40% of all respondents agreed that they are likely to switch accounts to get better digital tools and 37% agreed that they are more likely to switch than they were in the past. 

 And now for the importance of APIs

What are these APIs you speak of and why are they keeping my CISO up at night? 

Well, with the explosion of apps, both web and mobile, also came the explosion of the Application Programming Interface (API). A simple explanation: while an app is built for human interaction, the API is the software interface that allows two applications to interact without a user's involvement. APIs are the hidden conduits that enable new features to be rapidly added to an application; they allow the enterprise to buy an external feature and seamlessly integrate that service into their own interface. 

A once stubborn industry, the competition for customer satisfaction and loyalty has forced banks to adopt new and improved ways of delivering services, which now means integrating third-party features by exposing applications to outside providers. This has given rise to new terms such as open banking, API API Banking, Banking as a Service (BaaS), or Banking as a Platform (BaaP). With all this, an entire new segment of fintech organizations has grown in response to the consumer need for app-based, single-view banking and financial management.  

To better understand the benefits of new banking models and why APIs are now so valuable, think about your personal finances and the variety of financial products you have. You probably have a combination of checking and savings accounts, debit cards, credit cards, insurance, car loans, home mortgages, retirement accounts, investment accounts and more. Chances are, there are multiple organization providing you these services and they all have their own app on your mobile device…but it's extremely inconvenient to have to juggle between them.

The open finance model is rapidly changing the way people use financial services apps, allowing consumers to choose the app that offers the best consolidated view of all accounts and most conveniently facilitates direct transfers between these accounts. And this all requires rapid security innovation. 

Now, banks, neobanks and fintechs are able to present all of your financial data on a single app interface? How, you ask? There is an API for that. 

Even better, there are ways to adequately secure the app that presents all of your financial data on a single interface? How, you ask? WWT can help with that.

 As for API security, or a lack thereof…

APIs are now a permanent part of the digital enterprise. The use of APIs is necessary in supporting the growth of an enterprise organization, and subsequently, the growth of the organization will drive the expansion of its API estate. And while the organization is growing and the API landscape is expanding, so is the surface of application exposure and all the security threats that come with it. Is it any wonder that most organizations are failing miserably at their API security efforts?

Most often, organizations lose track of how many APIs they really have. Many are either naïve to believe that APIs don't expose anything of value, or they are entrusting DevOps to produce and secure apps faster in effort to avoid traditional delays imposed by the big bad cyber security team. Another pitfall is to simply have faith that the existing products like the web app firewall (WAF) or the API Gateway are doing enough. I hope none of these scenarios struck a chord with you, but if so, need not worry, I'm here to help. Better yet, we are here to help. 

 How WWT helps FSI customers secure APIs

WWT always takes a consultative, collaborative approach to helping customers reach their goals and achieve measurable results, and our API security methodology is no different. Our security experts will work closely with your security team to understand your environment and desired outcomes and then customize a strategy based on these following principles:

  1. Continuous API discovery and posture.
  2. API-specific threat detection and attack prevention.
  3. Automated and continuous API security testing.

Now, I'm sure some of you are thinking, man, we already have those in place. And trust me, I believe that you do…on some level. But what we are finding, time and again, is that when major enterprise-level customers come to us, they think they have control over their APIs, but then begin to realize that they had no idea exactly how many APIs they had, where they were located, and most importantly, how they were being secured.  Most have no way to detect active instances of Broken Object Level Authorization (BOLA).  We will go into more detail on BOLA in part three of the series, but this happens when an application does not correctly confirm that the user performing the request has the required privileges to access a resource of another user. Experience has shown us that almost every enterprise has an insecure API currently exposed and susceptible to BOLA.

With firsthand experience, I am here to urge you to use caution and be extremely scrutinous before assuming your app security strategy is sufficient enough to protect your APIs. So, please, at least come talk to us before your organization lands on 2022's list of API-driven data breaches. 

WWT Subject Matter Experts (SMEs) start with an advisory assessment to help identify, evaluate and rationalize needed investments for a comprehensive, continuous API security strategy. WWT's API Advisory SME's will engage with your DevSecOps teams to:

  • Review existing API security policies and secure coding standards.
  • Review API security policies on existing API management gateways; including authentication and authorization of API users, traffic management and content threat detection.
  • Evaluate 3rd party and supply chain use of APIs.
  • Review information security and SDLC processes to identify API control gaps (e.g. application architecture review, ISRA, 3rd-party risk assessment).

Deliverables from this initial assessment are customized to your requirements and may include:

  • Current static inventory and posture assessment.
  • Identification of gaps between existing application or API security policies/standards and the OWASP API Security Top 10.
  • Recommendations for comprehensive API security strategy and operations.

Following the consultative assessment, WWT partners with key industry-leading providers of API security software and can help you evaluate and test available solutions from a vendor neutral perspective, and then support your entire journey, using the right tools and best processes, to ensure optimal security for your APIs. 

 From SB43 to SB56 and App to API, it's time to add APIsec to your cyber strategy

If you're like me, you'll be watching this year's Super Bowl 56 on February 13th. Your reasons for watching might vary. Some will watch for the love the game, or maybe this is the year your team made it, some will watch for the halftime entertainment, some will watch for the commercials and some will watch for the thrill of it all. 

I personally will be watching with some degree of amazement at how far our industry has come from the "There's an App for That" commercial in 2009 to now in 2022, with the incredible evolution of how we use applications, the rise of APIs, and all the amazing advances they provide, such as open banking, API banking, fintech, neobanks, etc.

As I sign off, I'd like to leave you with another Super Bowl fun fact…

In 2009, the game was played in Raymond James Stadium. The Raymond James company was founded in 1962 and known as a pioneer in the financial services industry.  Just 13 short years later, the big game will be played in the recently built, state-of-the-art SoFi Stadium.  Remarkably, SoFi, a fintech company established in 2011, didn't even exist until a new application economy was introduced during 2009's Super Bowl. 

Founded by 4 Stanford Business School graduate students on a single idea to reform the student loan industry, SoFi now offers a wide array of financial products to over 2.5M members and was just granted approval by the OCC to become a national bank. They have no branches—it's a completely digital operation. All not possible without an app, an enormous number of APIs and a strategic security solution to protect all of it. 

Will the industry get spun by another game-changing commercial this year? I'll be watching. Feel free to join the conversation by sharing your thoughts with me on LinkedIn.

Enjoy the game!