6. Automated Assistance to the Security Assessment of API for Financial Services

By Andrea Bisegna | Roberto Carbone | Mariano Ceccato | Salvatore Manfredi | Silvio Ranise | Giada Sciarretta | Alessandro Tomasi | Emanuele Viglianisi

Downloaded: 1042 times

Published: 17 Sep 2020

© 2020 Andrea Bisegna | Roberto Carbone | Mariano Ceccato | Salvatore Manfredi | Silvio Ranise | Giada Sciarretta | Alessandro Tomasi | Emanuele Viglianisi

Abstract

This chapter presents the challenges related to the security assessment and the automated synthesis of mitigation measures of APIs for financial services. The focus is on the APIs supporting the implementation of the new Payment Services Directive [PDS2]. It also gives an overview of an innovative approach to address these challenges by (i) the automated identification and mitigation of security misconfigurations underlying sessions based on Transport Layer Security [TLS], which is ubiquitously used to build a foundation layer of security; and (ii) the automated penetration testing and synthesis of mitigations for the functionalities provided by APIs built on top of it, both business (e.g., payments) and security (e.g., authentication or authorization). The main novelty of the proposed approach lies in the tight integration of identification and mitigation phases by means of actionable measures that allow users to significantly strengthen the security posture of the entire API ecosystem.