FIRESIDE CHAT: U.S. banking regulators call out APIs as embodying an attack surface full of risk

By Byron V. Acohido

APIs have been a linchpin as far as accelerating digital transformation — but they’ve also exponentially expanded the attack surface of modern business networks.

Related: Why ‘attack surface management’ has become crucial

The resultant benefits-vs-risks gap has not surprisingly attracted the full attention of cyber criminals who now routinely leverage API weaknesses in all phases of sophisticated, multi-stage network attacks.

The collateral damage has escalated to the point where federal regulators have been compelled to step in.

Last October the FFIEC explicitly called out APIs as an attack surface that must, henceforth, comply with a new set of API management practices.

Guest expert: Richard Bird, Chief Security Officer, Traceable

I had the chance to visit with Richard Bird, Chief Security Officer at, which supplies security systems designed  to protect APIs from the next generation of attacks.

We discussed, in some detail, just how far the new rules go in requiring best practices for accessing and authenticating APIs. Bird also enlightened me about how and why this is just a first step in comprehensively mitigating API exposures. For a full drill down, please give the accompanying podcast a listen.

There’s little doubt that the new FFIEC rules will materially raise the bar for API security. In the short run companies subject to federal financial institution jurisdiction will have to hustle to get their API act together; and in the long run other companies in other verticals should follow suit.

I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone