Testing and Securing Your Finance APIs
Test and Monitor | Posted March 12, 2013

Within the finance industry, the implications of APIs and the importance of testing are somewhat obvious, almost to the point that it seems redundant to write a blog post as demonstration. But sometimes the most obvious facets are the easiest to forget. Either way, it never hurts to reiterate.

Did you login to an online banking portal today? If so, an API was involved. Did you make a purchase using a debit or credit card? API. Did you trade any sort of financial asset? Maybe not, but if you would have, an API would have been on the frontline. Did you pay a bill?

Okay, you get the point.

Finance coincides with security. Security coincides with APIs. APIs coincide with, well, just about everything related to finance. These are just some of the more personal implications, now lets dive a bit deeper into the industry. When a financial analyst is receiving exchange rate quotes on currencies or using software to calculate stock trends, multiple applications are interacting with one another. When a day trader is using a trading platform to formulate decisions in real time on whether or not to buy or sell, at least one program is interacting with another. And when that trader does choose to buy or sell, his trading application will most likely then communicate with yet another application, whether that be E*trade, Fidelity or any other brokerage service.

When testing APIs relates to finance, safety is paramount. Some crucial considerations, as mentioned by OWASP, are as follows:

  • APIs should be utilizing session-based authentication and API keys should not be visible in URLS. A visible API key will expose your service to attacks.
  • All communication involving the Web service should be encrypted using properly configured TLS. This is secondary to abiding by local and international bylaws regarding encryption of data that is distinctly financial. Encryption is an age-old technique for protecting data; it makes sense to use it when dealing with finance.
  • Because SOAP encoding styles serve the purpose of transferring data between software objects into XML format and back, the same encoding style should be used between the client and server. This just helps to avoid problems by maintaining some sort of standardization.
  • Be certain the Web service is authorizing clients the same way applications authorize users. For example, this can potentially prevent administrative attacks in which a hacker manages to obtain authorization from the application.
  • Use schema and content validation to make sure any and all input meets safety specifications regarding the length of parameters and validation of content types being input. Along the same lines, the total size of any SOAP message should be limited in order to prevent DOS attacks. This will help prevent unfriendly code from being injected into your system through any sort of input method.

This is by no means an exhaustive list of critical security points to watch for when implementing and testing finance related APIs, but it is a good list to start with. Another consideration regarding the capacity of APIs within finance is one that also correlates with the aforementioned security but is at the same time its own entity. That consideration is load testing.

APIs within finance need to be able to withstand substantial load on a daily basis with little to no fluctuation in performance. This lack of flexibility regarding performance can be attributed to the fact that “overloaded” applications are exponentially more likely to expose critical data to hackers. Furthermore, banking is an area that can experience spikes in load at various times, such as when people receive their salary, pay bills, login to accounts during the morning or do holiday shopping (think black Friday). It’s crucial that you test your APIs and make sure they have the ability to withstand all of the aforementioned spikes, and then some.

As mentioned in a December post about the golden age of APIs, APIs are indeed the overlooked vertebrae of most, if not all, industries, enterprises and organizations. The finance industry is likely one of the last entities that could pass as an exception. However, in light of recent international hacker attacks and subsequent security scares, APIs will continue to stand in the spotlight regarding the welfare of organizations.

As cool as it would be if bankers actually traded large assets by throwing a huge, dollar sign embroidered bag of money on the table, that is not usually the case. These large transactions depend on bullet proof APIs to function, because no one wants to loose six, seven or eight digit sums of money to a hole in their pocket.

So there we have it! Yet another industry dependent on secure, load bearing, fully functional application programming interfaces.

See also:

 

Close

By submitting this form, you agree to our
Terms of Use and Privacy Policy

Thanks for Subscribing

Keep an eye on your inbox for more great content.

Continue Reading

Add a little SmartBear to your life

Stay on top of your Software game with the latest developer tips, best practices and news, delivered straight to your inbox