Standards and regulations

42Crunch API Security Platform helps to align your APIs with many of the key security standards, regulations, and recommendations that abound in the modern service industries. This page provides more details on some of them.

OpenAPI Specification

The OpenAPI Specification (OAS) is a standard open source interface description for REST APIs. It is programming language-agnostic and both human and machine readable. Any API consumer can understand what a web application or service can do and interact with it without accessing the source code, additional documentation, or inspecting network traffic.

The OAS is a community-driven specification maintained and developed by the OpenAPI Initiative (OAI). This is a collaborative open source project under Linux Foundation, and 42Crunch is actively participating in the project. The founding companies include such big names as Google, IBM, and Microsoft, and SmartBear Software donated their Swagger Specification to the OAI as the basis for OAS. The variety in participants has helped to keep the description format vendor neutral.

Formerly known as Swagger specification, the OAS has emerged as a widely adopted way of documenting REST APIs. It offers a standard format with large tooling support. Instead of trying to deduce the intent of an API from its behavior or source code, the standard OpenAPI contract makes it easier to communicate this clearly.

One of the key functions that the standard contract can enable is API security, because it provides a way for developers, operations, and security people across teams to speak in common language. When all teams building both the API and the infrastructure the API is going to sit in can clearly communicate the intent, requirements, and outcome, it is also easier and more reliable to uncover, understand, and mitigate security risks. This idea is in the core of 42Crunch Platform.

The OAS allows to clearly specify a contract, the terms and conditions of using the API and the functions it offers. This contract takes the form of an OpenAPI definition, which describes among other things:

  • The functions (operations) that the API offers
  • The data that the API requires or accepts as input for each function
  • The data that the API returns as a response to calling a particular function
  • The security measures protecting the API
  • The linking and connections that the API has to other APIs

The OAS enables developing and utilizing various tools throughout your API's life cycle, such as:

  • Automatically generated API documentation
  • Testing tools
  • Code generation tools for generating servers and clients
  • API firewalls and firewall rules to protect API infrastructure

The OAS does not require completely rewriting your existing APIs, or binding any software to your service. You simply describe the capabilities of the service as the OAS specifies.

OAS versions

There are currently three versions of the OpenAPI Specification that have significant differences between them:

  • version 2
  • version 3.0.x
  • version 3.1.x

OWASP

The Open Web Application Security Project (OWASP) is a non-profit online community that has long been recognized as an international and industry-standard authority in application security. The community produces articles, methodologies, documentation, tools, and technologies to improve application security. Employing a collaborative and open-source approach, OWASP is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. It also provides forums open to anyone interested in application security and how to improve it.

For application security, OWASP has long produced its OWASP Top 10 project, an awareness document created in collaboration with a variety of security experts from around the world. The document aims to raise awareness about application security and describes the widely agreed most critical security risks to web applications and through them to organizations. OWASP Top 10 is widely referenced by standards, books, tools, and other organizations.

In addition to the OWASP Top 10 project, OWASP organization also produces OWASP API Security Top 10. Now in its second installment (2019 and 2023), OWASP API Security Top 10 ranks the widely agreed most critical security risks that are specific to REST APIs. As already stated, this is crucial because the nature of APIs and their security considerations are so very different from the traditional applications.

Financial-grade API

The OpenID Foundation Financial API working group is developing Financial-grade API (FAPI), an OAuth-protected REST/JSON model for financial APIs. The working group aims to provide JSON data schemas, protocols, security, and privacy recommendations for concerns such as:

  • How applications can use the data from a financial account of a user
  • How applications interact with the financial account
  • How users can control their security and privacy settings

Financial APIs are at the heart of the financial technology (fintech) field that applies technology to improve financial activities. Companies are vying to develop innovative applications for different platforms that people can use to access the financial services wherever, whenever. These services can include, for example:

  • Online banking
  • Online payments in webshops
  • Currency conversions
  • Credit rating calculations
  • Investment services
  • Stock market monitoring

Some financial information that the services tap into is public, like currency rates. Other operations deal with highly sensitive and private data. This makes watertight security the paramount consideration.

Although FAPI has financial services in its focus, fintech is not the only field that can benefit from FAPI. Their security profiles are not specific to financial APIs, but could be applied to any APIs with similar requirements in relation to potential risks and the sensitivity of the manipulated data.

Payment Services Directive

The revised Payment Services Directive (PSD2) is a requirement for all payment account providers in the European Union. The directive requires banks to open their infrastructures to other service providers through open APIs while making sure that sensitive information stays secure.

Unlike Open Banking (see below), PSD2 does not entail an API standard, but it does provide the legal framework with which other standards must comply.

Open Banking

As a result of PSD2, Open Banking is a UK initiative to use open APIs and open source technology in the financial industry, and share data in a secure and standardized form. Banks must establish APIs to share the financial data they control. This in turn helps developing new applications and services for financial services, and provides more transparency to customers on the financial options available to them.

The Open Banking Standards define how financial data is created, shared, or accessed. Financial customers can securely share their data with the services they want to without having to share their banking login credentials. The data is encrypted and its usage is tracked, and customers can limit in what way and for how long that data can be used. Only regulated companies can participate in Open Banking, and all involved entities must comply with data protection laws.

Open Banking Standard is developed and maintained by Open Banking Implementation Entity (OBIE).