Analyst Report

API Security: Best Practices for FIs and Fintech and Insurtech Companies

Leading up to 2020, several large companies and organizations disclosed or acknowledged cyber breaches or exploitable vulnerabilities directly attributed to APIs. These included Google, Strava, Panera Bread, Facebook, the Government of India, Venmo, Salesforce, Marriott, the U.S. Postal Service, and T-Mobile. During the first half of 2020, the list expanded to include Starbucks, the Government of Qatar’s COVID-19 application, Millennium Technology Solutions (, Voatz (U.S. election application), and VMware, along with additional security issues from Google and Facebook.

Attackers continue to probe and identify weaknesses in APIs using free and low-cost tools. API hacking does not require the advanced capabilities of a nation-state; even relatively inexperienced attackers can use these basic tools to discover and exploit API traffic to perform credential stuffing attacks, exfiltrate databases, change account values, or conduct denial of service attacks on critical applications. 

In this report, Aite Group identifies seven core competencies essential to security API development, deployment, and management, and provides recommendations for FIs, fintech companies, and insurtech companies to improve their API security methods.

Download the full report to learn what you can do to implement secure coding best practices and how to incorporate API security into the software development lifecycle.

Get the Report