Author - Kate Prebble

Development of API Security in an Open Banking Environment

Development of API Security in an Open Banking Environment

In August 2019 Australia took a significant step towards an open data economy by passing the Consumer data right (CDR) legislation, also known as Open Banking. Open Banking gives customers control of their data and enables them to share it with third parties.

Driven by regulatory changes, shifting consumer preferences and technology-enabled innovation, Open Banking gives consumers the power to share their selected banking data with accredited third parties securely. Open Banking lays the foundation to improve the consumer experience, enable the market to create products and services, and change the competitive landscape in the best interest of the consumer by giving them a choice outside the major financial institutions.

An application programming interface (API) is a means to connect two pieces of software to exchange messages or data in a standard format by allowing standardised interactions between the various participants of the financial ecosystem and enabling innovation in the business model. With open APIs, developers can create programs, tools, or apps tailored to the information provided by the various institutions to offer products which are more relevant to customers.

Using APIs to connect all the systems of the financial institution is crucial to better outcomes for the consumer. Focusing on security is essential, because of the proliferation of APIs that Open Banking standards introduce, which also increases security risks at the same time. In other words, the number of attack vectors is increasing and creates a more significant landscape for fraud and data breaches.

To mitigate these risks, API security has to be front of mind for developers, and developers should focus on securing the entire API lifecycle and not leaving it as an afterthought during deployment.

Application developers are focused on creating incredible software by creating an appealing user experience and compelling features by making sure that the app performs well, particularly across the proliferation of platforms available to end-users today. In many cases, it means less focus on security from the outset.

Therefore, as soon as the software is published, it is exposed. As soon as a website goes live, there will be hackers somewhere in the world trying to look for vulnerabilities in the website and the API. Therefore locking down the security of the API once it is published, means limiting the damage which could be caused by the security exposure.

This is why app development needs to adopt a security first API strategy. Financial services are not alone in the journey; other industries such as online retail face the same challenge. Security needs to be embedded right from the start of an API’s creation, alongside the user experience, feature development, and performance.

API development is very common these days, with varying skill sets, and this can include external contractors that may have less of a mandate to focus on security than the corporate team. Therefore educating everyone involved in the potential risks around APIs, and their role in risk mitigation is essential. The focus on security needs to be front of mind.

Second, new software development techniques support more stringent control around API security during the development lifecycle. For example, Continuous Integration and Continuous Delivery methodologies include establishing the right policies, approval workflows, users, groups, and roles. Therefore, the right people will review an API before it is published to ensure nothing is exposed to the outside world without formal signoff. This will help create an audit trail for regulatory compliance reporting.

With the vast amount of data involved, including time pressure to deliver, it is not feasible to depend purely on manual processes. Therefore, automating the whole process with security testing built-in will be the only way to scale the development of an API properly.

Instead of reinventing the wheel every time a new API is developed, it's best to create a single API security development & deployment process, with automation built-in wherever feasible to ensure on-going repeatability and consistency. API management tools, which ensure these security processes happen without needing to be switched on or off, can extend to third parties outside the organisation, so that everyone involved in the API development process is working to achieve the same goals when it comes to baked in security standards.

Better security of APIs throughout their entire lifecycle will require some work, but not only is it achievable, it is also essential. In a market so often targeted by cybercriminals, a security-first approach to APIs helps to put financial institutions back in control.