Traceable
announced it is providing the necessary API security measures to enable FDIC-insured financial institutions to meet the latest
Federal Financial Institutions Examination Council (FFIEC) cybersecurity
compliance mandates.
On
October 3, 2022, the FFIEC
announced a significant update to meet
cybersecurity mandates for financial institutions. This update explicitly calls
out APIs as a separate attack surface in regulatory guidelines that represents
a significant shift in compliance trajectories, and highlights the increased
threats that APIs pose. The FFIEC specifically created these new guidelines
prompting financial institutions to inventory APIs as part of their overall
inventory of information systems and risk assessments. For example, banks
utilize APIs with their digital banking services and information system access
points, making the sharing of data easier, and the customer banking experience
better. However, as a top attack vector, APIs, when not carefully
identified and secured, can be compromised in seconds - putting businesses and
their customers' sensitive data at significant risk.
APIs
are now the primary attack vector for data breaches, and Traceable is working closely with the top financial
institutions to enable them to take the first step in securing
their APIs - as required by FFIEC. Traceable discovers and identifies all APIs
- internal, external, third-party and partner APIs, with its data-rich catalog,
for comprehensive and real-time visibility into clients' entire API ecosystem
and API sprawl.
"This year will be a reckoning for financial
institutions. With an average of three banking-related APIs connected to
customers, now is the time to understand your APIs and act immediately to
protect your data and your customers," said Richard Bird, Chief Security
Officer at Traceable. "We have been working with large financial institutions
to assess their APIs, enabling them to fully understand their threat
posture. Most are shocked by the results. This initial shock is certainly
the trigger for them to get a comprehensive picture of the APIs they have - current
and legacy as well as internal and external. Knowing this enables them to
act immediately."
With
Traceable's approach, financial
institutions can immediately:
- Take Continuous API Inventory: Instantly identify and catalog all APIs in
your environment including internal, external, third-party and partner APIs.
API types include GraphQL, SOAP, HTTP, RESTful, XML-RPC, JSON-RPC, and gRPC,
and more.
- Understand API Risk Posture: Traceable provides a security risk score to
every API, which allows organizations to determine which APIs are most
vulnerable to abuse by collecting data on runtime details such as sensitive
data flows, API call maps, API usage behavior, user details, event details, threat
activity levels, and more.
- Identify Sensitive Data Exposure: Since APIs potentially
expose highly sensitive information, and transmit that data from internal APIs
to third-party applications, it is imperative to know the sensitive data flow
end-to-end, to understand the level of exposure.
- Benefit from Automatic Conformance Scanning and Analysis: An important part of API
discovery and inventory of APIs, is knowing if development specs match the APIs
that are implemented in production environments.
This
can all be accomplished with Traceable's flexible data
collection and deployment options,
including the option of deploying 100 percent on-premise in an air-gapped
model, or SaaS, or hosted in your own AWS, GCP, and Azure cloud.