The API Threat Landscape

Application Programming Interfaces (APIs) are protocols that enable software applications to exchange data with each other. APIs have become a critical piece of financial firms’ cyber infrastructure[i] because they enable firms to move data  – some of it very sensitive, like customers’ personally identifiable information (PII) – between computer systems. The use of APIs is growing because many business operations and customer services, such as those essential to open banking,[ii] rely on the use of APIs.

However, APIs’ vital role in financial services operations, the sector’s broad use of APIs, and the high-value data they transmit make them an attractive target to threat actors. DDoS attacks on APIs alone rose 58% last year, as described in From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector, which we co-wrote with founding Critical Provider, Akamai. Meanwhile, artificial intelligence provides even low-skill cybercriminals with sophisticated tools to launch precision attacks on APIs.

API Breach Data

Data from Akamai’s recent report, State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain is included in the table below to illustrate the number of security alerts related to API attacks in 2025 as they pertain to various security frameworks and compliance standards. 

State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain also outlined attack vector trends associated with API attacks, industry best practices for controls and mitigations, and regulations associated with security.
 
Framework 30-Day Activity Monthly Increase

OWASP

5,907,000

32%

MITRE

2,817,000

30%

ISO

832,000

22%

GDPR

669,000

21%

PCI DSS

881,000

16%

 

This threat landscape requires a tactical approach to hardening API controls. We recommend approaching it this way:

  1. Define operational challenges
  2. Test the Proof of Concept
  3. Plan remediation and risk reduction

This approach was drafted by FS-ISAC cybersecurity experts and is informed by FS-ISAC’s threat intelligence. This report describes the process in detail for practitioners and cybersecurity professionals in financial services firms. We use it to harden FS-ISAC’s API controls and encourage other firms to adopt it as well. 

1. Define Operational Challenges

The first step is an audit to determine the operational challenges the firm faces. Catalog everything – public, private, and  third-party — and assess your security posture by reviewing authentication, authorization, encryption, rate limiting, logging, etc. Pay particular attention to visibility issues around the health and data processed by APIs –threat actors are known to look for API responses containing PII, account details, or internal IDs.

Then, consider stakeholder alignment – particularly DevOps, security, engineering, and product teams – to define pain points across the API lifecycle.

Finally, understand the standards (e.g., OWASP API Top 10,  PCI-DSS,  FFIEC ) that apply and the threats that are most relevant to your institution and threat environment.

The audit will provide the focus areas for the next step: a Proof of Concept (PoC) test. 

The audit may consider: 

  • SQL injections
  • Exposed secrets
  • Unmanaged APIs
  • Inconsistent data filtering across endpoints and misconfigured endpoints
  • Poor version control
  • Broken authentication or authorization that could allow attackers to impersonate users or access unauthorized resources
  • Outdated or unpatched dependencies on third-party libraries
2. Proof of Concept Testing

Proof of Concept (PoC) tests measure cybersecurity solutions against a threat – actual or theoretical – in a real-world environment and gauge the solution’s compatibility with the firm’s systems in its threat landscape. The objective of a PoC around hardening API controls is to validate the tools, methods, or configurations you may use before implementing them.

The following validations are typical for this kind of PoC.

Pre-runtime controls

Schema validation, API spec enforcement, sensitivity tagging

Authentication and authorization

Zero-trust enforcement, auth mechanisms, field-level access

Access control vulnerabilities

Detection of IDOR/BOLA via spec analysis

Fuzzing and mutation testing

REST-ler, mutation operators, or RL-based fuzzing approaches

Dynamic testing

Live testing for injection, logic flaws, error-handling gaps

Penetration testing lifecycle

Structured planning, discovery, exploitation, reporting

CI/CD integration ("shift left")

Automated security checks, telemetry, early feedback loops

Runtime monitoring and response

Logging, anomaly detection, alerting, incident response plans

 
3. Risk and Risk-Reduction Plan

The PoC will indicate subsequent control deployment, which will influence the cybersecurity team’s priorities for securing APIs and reducing long-term exposure.

Broadly, these plans should include:

  • A risk register – ranked critical, high, medium, and low – based on the PoC findings and the firm’s operational challenges.
  • A remediation plan with short-term fixes (like rate limiting), long-term improvements (e.g., full API gateway implementation, least privilege redesign), and ongoing monitoring.
  • A set of standards for API development, testing, and deployment.

Case Study: Bank A

Operational Challenges

Bank A’s Operational Challenges audit detected unmanaged APIs that were deployed but never documented. It’s not unusual – zombie, ghost, and rogue externally facing APIs can be caused by rapid innovation and third‑party integrations. Threat actors look for those blind spots because they’re often unpatched.

Test the Proof of Concept

In its PoC, the bank’s InfoSec team decided to test automated API discovery tools and conduct a traffic analysis with WAF logs to detect unregistered or unknown APIs. That test provided the team with valuable insights into their performance and a deeper understanding of how the WAF solution detects vulnerabilities and blocks attacks. It also allowed them to test for false positive rates.

Plan remediation and risk reduction

The results were positive, so the team drafted a remediation and risk-reduction plan, including:

  • Rate limits to protect API backends
  • Security tokens to authenticate and control system access
  • Quotas to limit the speed and amount of data that can be transferred 

Conclusion

Last year, FS-ISAC published our Cyber Fundamentals detailing 15 crucial principles for financial services firms. The last fundamental on the list is “hardening API controls.”

While API controls are last on the list, safeguarding them is a top priority. All financial services institutions, no matter how cyber-mature, face the possibility of an attack on their APIs– if only because their third-party suppliers do.

This tactical, three-phase approach – defining operational challenges, testing a PoC, and drafting a remediation plan – will help streamline what can be a big job. We also encourage leveraging a cybersecurity information-sharing network like ours for real-time intel on emerging API threats.

Sources

[i] ABA (2024). Why API governance is a necessary strategy. ABA Banking Journal. Available at: https://bankingjournal.aba.com/2024/07/why-api-governance-is-a-necessary-strategy/?utm_source=chatgpt.com

[ii] www.mastercard.com. (n.d.). What is open banking? Your essential guide. Available at: https://www.mastercard.com/news/perspectives/2024/open-banking-101/

[iii] Akamai. (2025). 2025 Apps and API SOTI | Akamai. Available at: https://www.akamai.com/lp/soti/app-api-ai-security-report-2025

[iv] Owasp.org. OWASP API Security Top 10 - OWASP API Security Top 10. Available at: https://owasp.org/API-Security/

[v] PCI Security Standards Council.  Document Library. Available at: https://www.pcisecuritystandards.org/document_library/?document=pci_dss

[vi] Ffiec.gov. (2025). Cybersecurity Awareness | FFIEC. Available at: https://www.ffiec.gov/resources/cybersecurity-awareness.

October 2025

© 2025 FS-ISAC, Inc. All rights reserved.

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More