In July of 2021, an article about API security from a major financial media company was being forwarded around among bankers. The article asked whether application programming interfaces (APIs) were as safe as everyone assumed, referencing research from Salt Security, a Palo Alto-based cybersecurity firm focused on API threat protection. Salt had identified significant vulnerabilities in the APIs of a major financial institution.
However, this was not the first time Salt had written about such vulnerabilities. Earlier that spring, Salt issued a more thorough research report that found 91% of the companies it surveyed had experienced an API security incident in 2020.
In the Q1 2021 State of API Security report, researchers wrote, "The good news is that two-thirds of respondents say their security teams have a focus on the OWASP API Security Top 10 threats.” (OWASP is the Open Web Application Security Project — a well-respected nonprofit foundation that works to improve the security of software.) But, the researchers continued, “[t]he conundrum is how so many organizations haven't translated that OWASP API Top 10 focus into an API security strategy."
The banks of the Alloy Labs Alliance had picked up on this earlier recommendation. They were already putting the finishing touches on a shared solution for API security management when the more popular article came to print.
Through the Alliance, cybersecurity experts from institutions all over the country collaborated with our partners at Crowe, LLP to co-create a cybersecurity questionnaire. The project centered around the API vulnerabilities identified by OWASP, and is designed to help bank teams ask the right questions for hardening third-party APIs. To read the full report, click below.