API- The new standard

APIs (Application Programming Interfaces) have become now the de-facto standard for building and connecting applications in today’s IT world. API-based architectures are best designed for decentralized teams, very lightweight governance, and iterative, fast development. The focus of modern banks is on Open Banking now, which is a major source of bringing innovation in the banking industry (especially in payment ecosystem) and as a result, it has involved lot of FinTech firms to collaborate with Banks to create ease and comfort in Banking experiences both for the entities and the end user. Open Banking relies heavily on APIs and it provides an ideal financial ecosystem for conducting business as all remains inter-connected i.e both needs and solutions . Unified Payment Interface (UPI) can be seen as one of the most used Public/Open API by lot of Banks/FinTech.

What is API?

An Application Programming Interface (API) is a set of clearly defined methods of communication between software components without any user intervention. API is basically consisting of a set of instructions and standards which needs to be followed by the participating applications. Basically, An API specifies how software components should interact.  APIs operate on an agreement of inputs and outputs and is independent of specific programming language.

Major Categories of API

1.      Private:- API which is used internally by any organization to facilitate the integration of different applications and systems existing within the organization.

2.      Partner:- API which is used by known business partners, with some special contractual relationship for a specific business use case.

3.      Public/Open:- API which is used by anyone who meets the organization access control policy. Best example is usage of UPI in India.

What are some of the most common API security best practices?

·        Using tokens:- Establish trusted identities and then control access to services and resources by using tokens assigned to those identities. 

·        Using encryption and signatures:- Encrypt your data using a method like TLS. It require signatures to ensure that the right users are decrypting and modifying your data, and no one else.

·        Periodically identifying vulnerabilities:- Periodically scan your operating system, network, drivers, and API components against any known vulnerabilities. Know how everything works together and identify weak spots that could be used to break into your APIs. Use sniffers to detect security issues and track data leaks.

·        Using quotas and throttling:- Quotas are used to ensure that consumers are sticking to their end of the API contract, normally based on a service-level agreement (SLA) like number of calls they can make to an open API per second, minute, hour, etc. Throttling basically deals in restricting calls to an API. Instead of receiving an error message, consumers’ calls to the API are slowed down if a certain number of calls are exceeded in a set time period.

·        Using an API Gateway:- API Gateway is the mean through which an organization offers API to the outside world. An API gateway will allow to authenticate traffic as well as control and analyze how your APIs are used by enforcing policies for access control. An API Gateway can also offer additional features like Security, Access Management, Info Sec controls, capacity management, Audit Trail, orchestration etc.

·        Test your API against OWASP Top 10 2019 for API related vulnerabilities.