Standards and regulations
42Crunch API Security Platform helps to align your APIs with many of the key security standards, regulations, and recommendations that abound in the modern service industries. This page provides more details on some of them.
OpenAPI Specification
The OpenAPI Specification (OAS) is a standard open source interface description for REST APIs. It is programming language-agnostic and both human and machine readable. Any API consumer can understand what a web application or service can do and interact with it without accessing the source code, additional documentation, or inspecting network traffic.
Formerly known as Swagger specification, the OAS has emerged as a widely adopted way of documenting REST APIs. It offers a standard format with large tooling support. Instead of trying to deduce the intent of an API from its behavior or source code, the standard OpenAPI contract makes it easier to communicate this clearly.
One of the key functions that the standard contract can enable is API security, because it provides a way for developers, operations, and security people across teams to speak in common language. When all teams building both the API and the infrastructure the API is going to sit in can clearly communicate the intent, requirements, and outcome, it is also easier and more reliable to uncover, understand, and mitigate security risks. This idea is in the core of 42Crunch Platform.
The OAS enables developing and utilizing various tools throughout your API's life cycle, such as:
- Automatically generated API documentation
- Testing tools
- Code generation tools for generating servers and clients
- API firewalls and firewall rules to protect API infrastructure
The OAS does not require completely rewriting your existing APIs, or binding any software to your service. You simply describe the capabilities of the service as the OAS specifies.
The OAS is a community-driven specification maintained and developed by the OpenAPI Initiative (OAI). This is a collaborative open source project under Linux Foundation, and 42Crunch is actively participating in the project. The founding companies include such big names as Google, IBM, and Microsoft, and SmartBear Software donated their Swagger Specification to the OAI as the basis for OAS. The variety in participants has helped to keep the description format vendor neutral.
Financial-grade API
The OpenID Foundation Financial API working group is developing Financial-grade API (FAPI), an OAuth-protected REST/JSON model for financial APIs. The working group aims to provide JSON data schemas, protocols, security, and privacy recommendations for concerns such as:
- How applications can use the data from a financial account of a user
- How applications interact with the financial account
- How users can control their security and privacy settings
Financial APIs are at the heart of the financial technology (fintech) field that applies technology to improve financial activities. Companies are vying to develop innovative applications for different platforms that people can use to access the financial services wherever, whenever. These services can include, for example:
- Online banking
- Online payments in webshops
- Currency conversions
- Credit rating calculations
- Investment services
- Stock market monitoring
Some financial information that the services tap into is public, like currency rates. Other operations deal with highly sensitive and private data. This makes watertight security the paramount consideration.
Although FAPI has financial services in its focus, fintech is not the only field that can benefit from FAPI. Their security profiles are not specific to financial APIs, but could be applied to any APIs with similar requirements in relation to potential risks and the sensitivity of the manipulated data.
Payment Services Directive
The revised Payment Services Directive (PSD2) is a requirement for all payment account providers in the European Union. The directive requires banks to open their infrastructures to other service providers through open APIs while making sure that sensitive information stays secure.
Unlike Open Banking (see below), PSD2 does not entail an API standard, but it does provide the legal framework with which other standards must comply.
Open Banking
The Open Banking Standards define how financial data is created, shared, or accessed. Financial customers can securely share their data with the services they want to without having to share their banking login credentials. The data is encrypted and its usage is tracked, and customers can limit in what way and for how long that data can be used. Only regulated companies can participate in Open Banking, and all involved entities must comply with data protection laws.
Open Banking Standard is developed and maintained by Open Banking Implementation Entity (OBIE).
OWASP Top 10 project
OWASP Top 10 project is an awareness document created in collaboration with a variety of security experts from around the world. The document aims to raise awareness about application security and describes the widely agreed most critical security risks to web applications and through them to organizations. OWASP Top 10 is widely referenced by standards, books, tools, and other organizations.
The Open Web Application Security Project (OWASP) is a non-profit online community behind the OWASP Top 10. The community produces articles, methodologies, documentation, tools, and technologies to improve application security. Employing a collaborative and open-source approach, OWASP is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. It also provides forums open to anyone interested in application security and how to improve it.
What is...