Critical API Security Gaps Found in Financial Services

Written by

An industry-focused report on application programming interface (API) security has revealed a critical state of affairs in the financial services sector. 

In particular, Salt Security's 2023 State of API Security for Financial Services and Insurance report, published on July 19, 2023, exposed significant vulnerabilities and alarming API attacker activity in these industries.

According to the new data, nearly 70% of financial services and insurance companies have encountered rollout delays due to API security issues. Also, 92% of them have experienced security problems in their production APIs over the past year, with approximately one in five suffering an API security breach.

Additionally, the findings highlight the increasing activity of API attackers, with a 244% surge in unique attackers between the first and second halves of 2022.

Notably, 84% of attacks on financial services and insurance originated from "authenticated" users who appeared legitimate but were, in fact, malicious attackers. This suggests that security tools are not adequately equipped to prevent API attacks, a concern shared by 71% of financial and insurance respondents.

Read more on API-focused attacks: Attacks Targeting APIs Increased By 400% in Last Six Months

"Salt Security's findings highlight why companies should not only be monitoring APIs for attacks but also testing APIs for vulnerable code throughout the development lifecycle," commented Scott Gerlach, co-founder and CSO at StackHawk.

"Many API vulnerabilities are logical in nature and must be exercised to find the issues at hand, which can only be achieved by testing a running version of your application – ideally before production."

API security has now become a C-level issue for 56% of these companies, according to the report, while 79% of  CISOs consider it a higher priority than two years ago. 

The findings also expose a lack of preparedness in API protection, with 28% of respondents admitting they have no current API strategy. Additionally, 42% lack confidence in identifying APIs that expose personally identifiable information (PII).

"The [OWASP] first created a Top 10 for API Security in 2019 with a new edition earlier this year, but on the whole, there is still a great need for education, tools on both the offensive and defensive side, as well as standards and best practices on how to secure APIs," said Georgia Weidman, security architect at Zimperium.

"The Salt Security Report clearly reflects that while the software and security industries have much work to do in this area, bad actors are already hard at work taking advantage of the current lack of API Security."

More information about API security is available in this analysis published in June by Infosecurity Magazine.

What’s hot on Infosecurity Magazine?