Application Programming Interfaces (APIs) are protocols that enable software applications to exchange data with each other. APIs have become a critical piece of financial firms’ cyber infrastructure[i] because they enable firms to move data – some of it very sensitive, like customers’ personally identifiable information (PII) – between computer systems. The use of APIs is growing because many business operations and customer services, such as those essential to open banking,[ii] rely on the use of APIs.
However, APIs’ vital role in financial services operations, the sector’s broad use of APIs, and the high-value data they transmit make them an attractive target to threat actors. DDoS attacks on APIs alone rose 58% last year, as described in From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector, which we co-wrote with founding Critical Provider, Akamai. Meanwhile, artificial intelligence provides even low-skill cybercriminals with sophisticated tools to launch precision attacks on APIs.
Data from Akamai’s recent report, State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain is included in the table below to illustrate the number of security alerts related to API attacks in 2025 as they pertain to various security frameworks and compliance standards.
Framework | 30-Day Activity | Monthly Increase |
OWASP |
5,907,000 |
32% |
MITRE |
2,817,000 |
30% |
ISO |
832,000 |
22% |
GDPR |
669,000 |
21% |
PCI DSS |
881,000 |
16% |
This threat landscape requires a tactical approach to hardening API controls. We recommend approaching it this way:
This approach was drafted by FS-ISAC cybersecurity experts and is informed by FS-ISAC’s threat intelligence. This report describes the process in detail for practitioners and cybersecurity professionals in financial services firms. We use it to harden FS-ISAC’s API controls and encourage other firms to adopt it as well.
The first step is an audit to determine the operational challenges the firm faces. Catalog everything – public, private, and third-party — and assess your security posture by reviewing authentication, authorization, encryption, rate limiting, logging, etc. Pay particular attention to visibility issues around the health and data processed by APIs –threat actors are known to look for API responses containing PII, account details, or internal IDs.
Then, consider stakeholder alignment – particularly DevOps, security, engineering, and product teams – to define pain points across the API lifecycle.
Finally, understand the standards (e.g., OWASP API Top 10, PCI-DSS, FFIEC ) that apply and the threats that are most relevant to your institution and threat environment.
The audit will provide the focus areas for the next step: a Proof of Concept (PoC) test.
The audit may consider:
Proof of Concept (PoC) tests measure cybersecurity solutions against a threat – actual or theoretical – in a real-world environment and gauge the solution’s compatibility with the firm’s systems in its threat landscape. The objective of a PoC around hardening API controls is to validate the tools, methods, or configurations you may use before implementing them.
The following validations are typical for this kind of PoC.
Pre-runtime controls |
Schema validation, API spec enforcement, sensitivity tagging |
Authentication and authorization |
Zero-trust enforcement, auth mechanisms, field-level access |
Access control vulnerabilities |
Detection of IDOR/BOLA via spec analysis |
Fuzzing and mutation testing |
REST-ler, mutation operators, or RL-based fuzzing approaches |
Dynamic testing |
Live testing for injection, logic flaws, error-handling gaps |
Penetration testing lifecycle |
Structured planning, discovery, exploitation, reporting |
CI/CD integration ("shift left") |
Automated security checks, telemetry, early feedback loops |
Runtime monitoring and response |
Logging, anomaly detection, alerting, incident response plans |
The PoC will indicate subsequent control deployment, which will influence the cybersecurity team’s priorities for securing APIs and reducing long-term exposure.
Broadly, these plans should include:
Case Study: Bank AOperational ChallengesBank A’s Operational Challenges audit detected unmanaged APIs that were deployed but never documented. It’s not unusual – zombie, ghost, and rogue externally facing APIs can be caused by rapid innovation and third‑party integrations. Threat actors look for those blind spots because they’re often unpatched. Test the Proof of ConceptIn its PoC, the bank’s InfoSec team decided to test automated API discovery tools and conduct a traffic analysis with WAF logs to detect unregistered or unknown APIs. That test provided the team with valuable insights into their performance and a deeper understanding of how the WAF solution detects vulnerabilities and blocks attacks. It also allowed them to test for false positive rates. Plan remediation and risk reductionThe results were positive, so the team drafted a remediation and risk-reduction plan, including:
|
Last year, FS-ISAC published our Cyber Fundamentals detailing 15 crucial principles for financial services firms. The last fundamental on the list is “hardening API controls.”
While API controls are last on the list, safeguarding them is a top priority. All financial services institutions, no matter how cyber-mature, face the possibility of an attack on their APIs– if only because their third-party suppliers do.
This tactical, three-phase approach – defining operational challenges, testing a PoC, and drafting a remediation plan – will help streamline what can be a big job. We also encourage leveraging a cybersecurity information-sharing network like ours for real-time intel on emerging API threats.
[i] ABA (2024). Why API governance is a necessary strategy. ABA Banking Journal. Available at: https://bankingjournal.aba.com/2024/07/why-api-governance-is-a-necessary-strategy/?utm_source=chatgpt.com
[ii] www.mastercard.com. (n.d.). What is open banking? Your essential guide. Available at: https://www.mastercard.com/news/perspectives/2024/open-banking-101/
[iii] Akamai. (2025). 2025 Apps and API SOTI | Akamai. Available at: https://www.akamai.com/lp/soti/app-api-ai-security-report-2025
[iv] Owasp.org. OWASP API Security Top 10 - OWASP API Security Top 10. Available at: https://owasp.org/API-Security/
[v] PCI Security Standards Council. Document Library. Available at: https://www.pcisecuritystandards.org/document_library/?document=pci_dss
[vi] Ffiec.gov. (2025). Cybersecurity Awareness | FFIEC. Available at: https://www.ffiec.gov/resources/cybersecurity-awareness.
October 2025
© 2025 FS-ISAC, Inc. All rights reserved.
Listen on
© Copyright 1999 - 2025 FS-ISAC, Inc. All Rights Reserved.