16 July 2018
Patrick Coomans

Patrick Coomans CyberSecurity

Patrick Coomans - independant

1Posts 16,557Views 0Comments
Finextra community

Fintech

Fintech discussions and conversations around the development of fintech.

Two Additional Ways to Improve API Security for Fintech startups

20 December 2017  |  16558 views  |  0

It’s simple: the probability of being under cyber attack is 100%. From a Cyber Defense perspective, you have to be right all the time, at the contrary your adversary has to be right only once. Due to the nature of API’s, and their application in a financial context, the impact of exploiting a vulnerability could be huge. Imagine a flaw would let attackers execute financial transactions with a <Null> authentication.

With high probability and high impact, the risk is very high that API’s in the PSD2 era will enable a New Normal in Bank Robberies. Not IF, rather WHEN and WHO.

Happily, there is already a lot of material available on the topic of API security. Consult the OWASP Body of Knowledge for Secure Coding Best Practices, adopt Continuous Testing using SecDevOps Best Practices, SecDevOps frameworks (such as BDD) and tools. Look at Software Security the same way a Quality Assurance Manager would look at a production plant in Automotive or in Pharma. From a QA perspective, you should consider the ISO/IEC 25010 Software Product Quality Standard, featuring Security as one of the eight quality characteristics.

On top of all the well documented Best Practices and Standards, I would like to highlight two additional focal points for Fintech companies to look at while developing their APIs.

 1. Consider new AI-based approaches in vulnerability scanning.

The traditional approach to software security testing is to engage in extensive (often manual) penetration tests, then plug the holes found, and with every new release start all over. Extensive quickly translates to Expensive, as a reality check reveals a big gap between supply and demand for penetration testing skill. There is upward pressure on the price while the quality of the service delivered is being diluted as many penetration testing “tourists” enter this lucrative market.

In 2016 the US Defense Advanced Research Projects Agency, DARPA, hosted the world’s first AI hacking tournament in Las Vegas. Results were astonishing. Not just that vulnerabilities were found that humans hadn’t discovered yet, also the speed at which this took place was simply mind-blowing. With such heavyweight focusing one can expect a rapid uptake of ML and AI in vulnerability testing.

My advice is to scan the market for new emerging offers of vulnerability scanning solutions that leverage Machine Learning and Artificial Intelligence, and in parallel to your current manual efforts, start testing and adopting such solutions as early as possible.

2. Know what’s under the hood

When I mention the Heartbleed Bug to developers (a critical vulnerability in the OpenSSL library), most go “Oh Yes”, but when asked if they exactly know the whole decomposition tree of every single software library component that is part of their end-to-end service, most don’t have a clue, although they better should. For example, many libraries used for authentication and integrity have been crippled by nasty bugs. Think of the Infineon-developed RSA Library version v1.02.013, which lead to Estonia having to reissue over 750,000 certificates, part of their National ID scheme. Or the 2014 GnuTLC bug which allowed a Man-in-the-Middle attack due wrong behavior during a TLS handshake.

My advice is to keep track of all dependencies and track vulnerabilities in all underlying components. OWASP has a project called Dependency-Check aimed to do just that. Then make sure that whenever a library is vulnerable, you have an established and tested remediation plan. Such a plan should include a process how to issue critical software updates, a communication plan, security operations to be involved and if possible try simulate the exploitation of the vulnerability, resulting in useful Indicators Of Compromise that can be shared with internal and external InfoSec stakeholders.

 

API Security is crucial in providing trust in the new Digital Fintech ecosystem. I believe this is a shared responsibility. Please share your views and experiences in the Comments.

 

Unsecure APIs are a house warming party to hackers TagsSecurityOpen APIs

Comments: (0)

Comment on this story (membership required)

Latest posts from Patrick

Two Additional Ways to Improve API Security for Fintech startups

20 December 2017  |  16558 views  |  0 comments | recomends Recommends 0 TagsSecurityOpen APIsGroupFintech

Patrick's profile

job title Cybersecurity Strategist, Business Coach, Mentor
location Antwerp
member since 2017
Summary profile See full profile »
I live and breathe CyberSecurity and Digital Identity. Currently I coach and mentor startups and scaleups, especially related to Digital Platforms, API's, Open Data. Focus on Fintech. https://www.li...

Patrick's expertise

Member since 2017
1 posts0 comments
What Patrick reads
Patrick writes about
SecurityOpen APIs
Patrick's blog archive
2017 (1)

Who's commenting on Patrick's posts