As financial services firms move further along in their digital acceleration and modernization journeys, various teams within those companies, from engineering to security, need to work together to stave off current — and future — security threats that come along with this evolved environment.
At a high level, he said, in order to protect web apps and application programming interfaces (APIs), financial institutions (FIs) should consider the following new rules as they bring security and development teams together in the bid to protect apps and APIs from fraudsters.
The tools they leverage must be broad enough and powerful enough to fight fraudsters’ intent — not just specific threats, Lackey said. That means being able to pinpoint behavioral anomalies that raise red flags and signal that attacks are just beginning or are well underway. Real-time attacks, after all, require real-time reactions and defenses.
FIs are grappling with the digital transformation that has changed all facets of business, he said. Whereas the initial focus of digital acceleration was typically on websites instead of apps and APIs, there has been a shift, and now apps and APIs have become the primary ways through which FIs interact with their customers.
As he told PYMNTS: “APIs have gone from this kind of side area of importance to the most critical part of their business.”
Behind the scenes for many FIs, the tech infrastructure has gone from just a few architectures and systems to several operating all at once, he said.
A few apps and APIs, residing in a few data centers (and relatively fewer tech stacks) must now embrace multiple public cloud providers, containers and servers.
As Lackey explained, the rate of change is increasing, and the rate of adoption of new tech platforms is increasing exponentially.
“This really puts tremendous strain on anyone responsible for security inside a financial services institution, whether that’s the security team, or the teams leading the charge into digital transformation, or the cloud or containers that are also responsible for security of these apps and APIs,” he said.
Fraud Is Changing
Fraud is changing too, he said. Historically, attacks on web apps and APIs were technical — commonly called “injection” attacks — that tried to compromise those applications. Now, they are focused on the business value of the applications, leveraging them for account takeovers, malicious bots and the like.
“The fraudsters are trying to not just attack, but actually abuse the logic of those applications,” he said. “They might try to guess really common passwords and do account takeover attacks. They might take a look at the APIs and say, ‘If I changed that identifier for a user, maybe I can view someone else’s account information and their PII or their banking information.’”
The attacks are additive, coming in waves fast and furious, he said.
Against that backdrop, Fastly’s FI customers have been looking for “one technology” that can help them ward off any type of attack and threat, he said. DevOps and other teams have moved away from siloed mentalities and operations within FIs and have been able to work together so that capabilities can be leveraged in a way that can be accessed by anyone.
The commonality of organizations going through the digital transformations successfully is that they “self-serve” security capabilities in the way they had done around performance and reliability aspects of the operations, he said.
As he told PYMNTS: If the development team can’t use one tool to cover all the different (and simultaneous) threats they’re seeing, and it can’t plug into their development systems and their dev ops toolchains, “the reality is they’re just not going to use it.”
“The goal of modern ‘security tooling’ is that it can provide value directly to the development teams and DevOps teams in addition to the security teams,” he said, as they fend off threats in real time. “And another piece of [flexible solutions] is that they need to be able to plug in directly to the development and DevOps toolchains as well.”