How to secure open banking APIs


SC Media UK editor in chief Tony Morbin sat down with WWT's Vinnit Patel and F5's Paul Dignan to discuss how you can achieve full API lifecycle management

APIs are central to digital transformation. They’re the connective tissue that powers modern web architectures and mobile apps and enable businesses to deliver a digital marketplace. 

But managing those APIs isn’t easy. Traditional API management solutions aren’t designed to meet modern app and environment needs. They’re expensive, have a large footprint, deliver poor performance, and introduce additional complexity to modern apps. 

What you need is a modern API management solution. It needs to be lightweight, flexible, portable, and able to run on containers to support microservices-based apps. It must be able to handle API traffic for both traditional and modern apps without introducing additional complexity.

SC Media UK editor-in-chief Tony Morbin discussed how you can achieve full API lifecycle management with Vinnit Patel, EMEA Cyber-security Lead, WWT and Paul Dignan, Systems Engineering Manager at F5.

"Our clients approach us requesting assistance on their journey into digital transformation," said Patel. "WWT offers consulting services in that space and we provide access to the Advanced Technology Centre where we host multiple security solutions. So clients can get a touch and play of the different solutions available.

"So you can absolutely control and reduce the risk of data breaches – and even improve your current security posture. Where we offer the most help is for those clients that want to be secure and first to market."

"Digital transformation and modern application delivery methods bring challenges for organisations who are integrating existing technology stacks into their application delivery," added Dignan. "Digital transformation, for example, drives use of newer platforms, cloud infrastructure and the like. New application delivery methods bring challenges around scale and speed for our traditional security operations teams who are trying to keep up with the pace that the dev ops teams will be working at.

"I’ve seen many examples of customers saying that their dev ops teams have said to them that we need to have applications delivered within a certain timeframe. But traditional solutions cannot meet those deadlines. So there needs to be consideration around how organisations educate their security and network operations teams to move into the future to meet these new developments," said Dignan.

So, how can organisations ensure their API process are secure, asked Morbin.

"They definitely need to be protecting themselves from denial-of-service (DDoS) attacks. With API gateways that charge per call, if there is a DDoS attack there’s a significant financial risk there. APIs also transmit sensitive data and this data can easily be scraped so they need to think about anti-scraping technologies," said Patel.

"The OWASP Top Ten should be the bare minimum level of security in my opinion. It’s a fairly broad reach in terms of what it covers, but the types of attacks that are listed in the top ten are ones that would normally be mitigated by signature type, negative security protection... And we need to be able to apply more granular control to APIs, apply positive security, look for anomalies. And we need to make sure our security policies keep up with the rapid levels of development," said Dignan. 

To watch the interview in full, please click here.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews