API Security Assessment

Learn how Incepta Solutions can perform API Security Assessments for businesses to identify API security threats and help them safeguard their business assets and data.

Our client, a Canadian fintech company,  needed to assess the risk of their external facing APIs to determine whether enough controls are in place to minimize the risk of cyber-attacks and data extraction.

 The objective of this engagement was to address the following –

1. Minimize risk of external facing APIs
2. Minimize the risk of sensitive data extraction
3. Protect APIs and critical assets from cyber attacks
4. Enrich current tools and workflows with API-centric data and alerts
5. Develop, protect, and enhance revenue streams and client relationships

Incepta was engaged to assess the current state of the client’s API security posture, propose a target state, and provide a roadmap to achieve the target state.

• Canadian fintech company
• Leading provider of sales financing and payment solutions
• 10+ years in business providing fast and flexible financing solutions

Our client is a Canadian sales financing company founded in 2013 with the mission to become the leading provider of point-of-sale financing and payment solutions for businesses across Canada.

• Poor visibility into the API landscape
• Data Loss Prevention measures were not in place
• API Gateways and WAFs are only covering rigid policies
• API Security is unfamiliar territory – need to build playbooks and best practices

The client is in the finance industry where data security is paramount. Our client was unsure if they have proper security measures in place, how many APIs they have, how many are external facing, and which ones might be an easy target for the hackers.

Incepta Security Posture Assessment

Incepta’s API security assessment provides a comprehensive view of traffic, code, and configurations to assess the organization’s API security posture.

The proposed API security solution comprises-

1. API Security Testing – Adopt developer-centric API security testing for early, frequent and robust API testing.
2. Posture management – Continuous and context-aware API security risk management – API asset inventory, change detection, configuration control, and vulnerability.
3. Runtime Protection – Simple, sophisticated protection for APIs and prevention of sensitive data theft, fraud, and misuse from API abuse.

Incepta conducted a complete API security assessment. The findings of the assessment were shared with the client. Some of the sample stats are listed below-

• Number of APIs found – 65
• API Type – REST
• Discovered data types – 15
• Issues found – 33
  • Posture Management Issues – 17
  • Runtime Issues – 16

Incepta suggested security measures to address the issues found and created desired future state for the client. A sample of the suggested target state architecture is shown below-

API Security Assessment Business Outcomes

Incepta API Security assessment provided the consolidated report with detailed feedback, target architecture, and a roadmap to achieve the future target state. The suggested future state would result in:

• Robust defense and protection of customer data
• Enhanced revenue stream due to better customer confidence
• Better reputation of the company in terms of security measures
• Protection of critical assets and APIs from cyber attacks
• Continuous security posture management

API Security Best Practices to follow 

Incepta suggests organizations use security best practices while designing and building APIs such as-

• Hide sensitive data from all logs
• Encrypt sensitive information like passwords in the properties file
• Remove vulnerable components
• Apply security policies over all APIs in the production environment
• Continually enhance the API security posture
• Enrich current tools and workflows with API-centric data and alerts

Proactive Cybersecurity is the need of the hour. It includes everything you do before an attack takes place. If you want to protect your business from the devastating effects of cyber-attacks then talk to our Cybersecurity experts today to ensure API and data security at every stage.