API security risk and resilience in financial institutions
Basak, Arbita; Tiwari, Divya (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202504247550
https://urn.fi/URN:NBN:fi:amk-202504247550
Tiivistelmä
Through the analysis of Application Programming Interface (API) vulnerabilities and the identification of critical risk variables that Impact API security, this study aims to increase cybersecurity resilience in financial institutions. The risk environment becomes more complicated as financial services depend more and more on APIs for tasks like open banking, payment processing and real-time data. Interchange. This study tackles these issues by identifying, evaluating and migrating vulnerabilities using a data-driven methodology. To assist security teams, organizations and regulators in bolstering their security and incident response plans, a methodological approach is suggested.
The study uses R programming for data preprocessing, statistical analysis and visualization of vulnerabilities associated to APIs, utilizing publicly available data from the National Vulnerability Database (NVD). To investigate trends in severity, attack vectors, necessary privileges, and CWE (Common Weakness Enumeration) classifications, important analytical tools like trend analysis, Kruskal- Wallis tests, and Dunn's post-hoc comparisons are employed. According to the findings, there has been a discernible increase in high- and critical-severity vulnerabilities over time. Common threats include improperly set access controls, broken authentication, excessive data exposure, and injection attacks. The most common attack vector turned out to be network-based attacks, highlighting the necessity of strong authentication procedures and safe gateway configurations. The report suggests a cybersecurity resilience paradigm specifically designed for financial institutions based on these insights. It consists of elements like automated threat intelligence integration, risk-based access control, real-time monitoring, and best practices across the API Software Development Lifecycle (SDLC). Additionally, the platform encourages constant anomaly detection, frequent penetration testing, and secure code. Financial institutions can better protect sensitive financial data, adhere to laws like PSD2 and GDPR, and lessen their vulnerability to API-related dangers by using this strategy. The report also identifies areas for further research, such as practitioner- driven evaluations and AI-driven anomaly identification.
The study uses R programming for data preprocessing, statistical analysis and visualization of vulnerabilities associated to APIs, utilizing publicly available data from the National Vulnerability Database (NVD). To investigate trends in severity, attack vectors, necessary privileges, and CWE (Common Weakness Enumeration) classifications, important analytical tools like trend analysis, Kruskal- Wallis tests, and Dunn's post-hoc comparisons are employed. According to the findings, there has been a discernible increase in high- and critical-severity vulnerabilities over time. Common threats include improperly set access controls, broken authentication, excessive data exposure, and injection attacks. The most common attack vector turned out to be network-based attacks, highlighting the necessity of strong authentication procedures and safe gateway configurations. The report suggests a cybersecurity resilience paradigm specifically designed for financial institutions based on these insights. It consists of elements like automated threat intelligence integration, risk-based access control, real-time monitoring, and best practices across the API Software Development Lifecycle (SDLC). Additionally, the platform encourages constant anomaly detection, frequent penetration testing, and secure code. Financial institutions can better protect sensitive financial data, adhere to laws like PSD2 and GDPR, and lessen their vulnerability to API-related dangers by using this strategy. The report also identifies areas for further research, such as practitioner- driven evaluations and AI-driven anomaly identification.