Securing APIs in FinTech: A Case Study of Finastra

Finastra's customers are banks, credit unions, and other large financial institutions. These customers have extremely high standards for security, which Finastra must meet. The company's open and collaborative developer platform, FusionFabric.cloud, allows these financial institutions to connect with third-party financial solutions. Finastra's API security solution not only needed to protect its own services but also add value to its customers and its ecosystem of third-party FinTechs. The company's approach to API security involves developers during build time and security teams during runtime, with a strong emphasis on automation.

Finastra, one of the world's top three FinTech companies, faced significant challenges in securing its APIs. APIs form the core of Finastra's service, connecting banks with FinTech services. However, API security has become increasingly complex over the years, with attacks on the rise and traditional application security tools failing to provide adequate protection. The company's API traffic grew by 51%, while malicious traffic increased by 211%. Attackers have realized that APIs are now used for more business-critical services and share an increasing amount of sensitive data, leading to a heightened focus on exploiting APIs for attacks. Finastra faced internal and regulatory pressures to secure its APIs. The company needed a solution that could prevent account takeovers, identify abnormal behavior, and differentiate between 'normal' abnormal (e.g., a changed API) and malicious traffic.

Finastra embarked on a journey to find an API security solution that could meet its requirements and add value to its customers and third-party FinTech ecosystem. The company initially attempted to solve API security with in-house tools but ultimately decided to buy a solution. Finastra selected Salt to protect its APIs. Salt's architecture provides the necessary context to aid in the discovery of APIs, prevent attacks, and eliminate vulnerabilities. It also supports efforts on both the 'right side' at runtime and the 'left side' during build time. Finastra integrated Salt into its CI/CD pipeline and throughout the API lifecycle. The hybrid approach of the Salt platform allowed Finastra to meet data privacy requirements by keeping all sensitive data within the company's environment. Salt's support of webhooks enabled Finastra to integrate into different security workflows and leverage automation where needed.

• The implementation of Salt's API security solution has significantly improved Finastra's API security posture. The solution's integration into the company's CI/CD pipeline and throughout the API lifecycle has streamlined the security process. The hybrid approach of the Salt platform has allowed Finastra to meet data privacy requirements by keeping all sensitive data within the company's environment. Furthermore, Salt's support of webhooks has enabled Finastra to integrate into different security workflows and leverage automation where needed. This has not only enhanced the company's security but also added value to its customers and its ecosystem of third-party FinTechs.

• API traffic for Finastra has grown 51%.

• Malicious traffic has grown at 211%.

• Finastra was able to meet high security standards set by its customers, which include large financial institutions.