API Security Panel Discussion

Date: March 2^nd, 2023 | Toronto, Canada

Length: 55 Minutes

Speakers:

Introduction:

APIs are the backbone of Open Banking and are used to share and access financial data. Without proper API security measures in place, financial institutions and third-party providers would be at risk of data breaches, which could lead to the loss or theft of sensitive financial information.

During this 55-minute panel, learn how to correctly implement API security measures, ensuring that transactions are secure, comply with regulatory requirements, and maintain customers’ trust.

Key Takeaways:

• APIs are the foundation of software development and API security is critical to ensure they are not exploited as a threat vector.
• Good governance for APIs involves balancing risk and reward, focusing on scalability, flexibility, centralization, and security.
• Regulatory requirements for API security in open banking are still catching up but organizations should not rely solely on them and instead focus on protecting customer data and staying ahead of threats.
• Effective API security involves knowing who is accessing APIs, creating trust relationships, ensuring standards-based approaches to security, and limiting access to sensitive information only to relevant and authorized actors.
• In terms of API security, it is important to have a comprehensive approach that includes governance and assurance functions. 
• Organizations can start with established standards like NIST and OWASP, but it is important to customize these to the organization’s needs and integrate them into project lifecycles and vendor vetting processes. 
• Contractual obligations can also be used to ensure third-party compliance with security standards. 
• The threat landscape for FIs is similar between Canada and the US, with both facing the same security threats. However, regulatory differences may impact the implementation of security programs.
• The panelists discussed several measures to ensure that customer data is encrypted and protected during transmission through APIs. The first step is to have a full inventory of the APIs, ensuring that they are aligned with the processes of the organization and that they are not exposing any vulnerabilities. Additionally, they emphasized the importance of ensuring that any changes or additions to the APIs comply with the organization’s standards. Authentication and authorization are critical elements of API security, and it can be challenging to manage them at scale. It is crucial to monitor and detect suspicious API activity and prevent unauthorized access by having the right tools in place. 
• As the number of players in the FIs market in Canada is small, collaboration is one of the crucial ingredients to face the new risks of Open Banking. We are not competitors here, we are CISOs trying to protect our industry as a team.
• Logging, monitoring, integration testing, and retroactive remediation of issues are also essential to ensure that any problems are caught quickly. 
• Finally, the panelists stressed the importance of incorporating API security into the application security SDLC, the development process, and the company culture.

Meet our Sponsors: