The growth of openbanking and PSD2 compliance has changed the face of API security for banks. The client sought help to reduce API security risk efficiently, and maintain more accurate reporting.
About the Client
This global banking institution faced issues with managing and deploying API services in order to support rapid expansion and diversification of their business. Open banking, where financial institutions grant third-party service providers access to customers’ personal information and transaction data to network their accounts across multiple institutions, relies heavily on APIs. This paradigm is driving major innovation in the financial-services industry, but the uncontrolled deployment of APIs can give rise to security blind spots and vulnerable endpoints that can be exploited by bad actors. According to the 2024 Data Breach Investigations Report (DBIR) by Verizon, 90% of web-application attacks target APIs.
The firm’s information-security leadership found themselves in a position where they were unable to scope how many APIs had been deployed, and some of those pathways could not be maintained and regularly assessed for vulnerabilities. As a direct route to sensitive business and consumer data, APIs are also a particular focus of the European Union’s Payment Services Directive 2 (PSD2), with which the firm sought to come in full and proper compliance.
About Edgescan
Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.
Edgescan’s API Security Testing enables firms to identify API vulnerabilities across their known network of web-facing assets. The platform also discovers rogue APIs across your cloud providers (AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI), tracks them, and flags issues in the Edgescan dashboard for the internal security team’s review and potential remediation.
The API Challenge
90% of web application attacks target APIs, and deployment data from Edgescan customers reveals a 320% rise in API vulnerability in 2022—a severe warning to organizations of all types about the scale of this challenge. It can be difficult to discover unknown or lost APIs, as they are “headless” and don’t have a website or other obvious indicators that they exist. Many APIs are only discoverable if you interact with the endpoint in the correct manner. If we can’t easily find and track deployed APIs, how can we secure them?
Using multi-layer probing technology, the Edgescan API discovery engine utilizes asynchronous port scanning to identify and then monitor network changes. It automatically discovers active API endpoints across your entire attack surface and flags them for remediation.
Outcome
Edgescan’s comprehensive API security testing helped discover hidden and rogue APIs across the client’s web-facing assets and cloud providers. The multi-step verification process applied to each potential issue ensured that the threat information received by the internal security team was free of false positives and risk-rated. They could then proceed with their remediation approach in confidence that their order of operations would be maximized for efficiency. By helping to secure the bank’s network of APIs, the Edgescan Platform hardened a crucial element of the institution’s attack surface and provided continual monitoring of one of the most commonly exploited security gaps today. The enterprise could now promise customers top-notch security for their personal and financial information in the contemporary landscape, and the internal security team could better ensure the firm’s security posture was in full compliance with government rules and regulations on transaction data.