The Bangko Sentral ng Pilipinas (BSP) is requiring a stronger, more adequate IT and cybersecurity risk management practices in banks and non-banks’ use of application programming interfaces (API) and its interconnections.
The BSP on Wednesday, March 23, released a new memo (Memorandum No. M-2022-016) for API security controls including the adoption of good practices for API management and the controls and processes supporting the operation, connectivity, and endpoint security of APIs.
BSP Deputy Governor Chuchi G. Fonacier said in the memo that API which is used not only by BSP-supervised financial institutions (BSFIs) but also online merchants, payment gateways and technology service providers, is now the new normal with digitalization. APIs are a set of rules and specifications for software programs to communicate with each other and to interface between different programs to facilitate interaction.
“While this (API) has traditionally been utilized by BSFIs internally for the ease of connecting systems and applications, APIs are now exposed to a wider range of interconnected external parties in the digital ecosystem. These developments introduce new risk vectors for BSFIs that must be addressed through adequate IT and cybersecurity risk management practices,” said Fonacier.
The BSP official is likewise reminding BSFIs to “promptly” report any breaches or cyber incidents or crimes involving APIs to the BSP as per its event-driven report and notification or EDRN, and report on crimes and losses or RCL requirements under Circular No. 1104 which was issued in November 2020.
Fonacier said that to strengthen controls on API and interconnections, all BSFIs should implement API management good practices such as: ensure strong authentication and authorization mechanisms through in-depth evaluation of API architecture and security standards; encrypt sensitive API payload data using industry accepted encryption standards and versions; ensure that only necessary data/information are contained in API responses; and perform validation, filtering, and sanitization of all client-provided data and other data originating from integrated and partner systems.
The BSP also recommends that BSFIs should make sure that system and audit logs capture failed attempts, denied access, input validation failures, or any failures in security policy checks. It also wants BSFIs to adopt the following: to regularly update API inventory, purpose, and documentation to appropriately manage deprecated API versions and unintentional endpoint exposure; conduct regular assessments, hardening, and patching of all API servers; conduct regular security tests using API and business logic exploits such as but not limited to SQL injection, replay attacks, and logic bypass; and enforce thresholds and rate-limiting API calls to prevent distributed denial-of-service (DDoS) attacks.
Fonacier said BSFIs should also consider the following controls and processes supporting the operation, connectivity, and endpoint security of APIs: IP Address filtering for third-party partner integrations; compliance audits with BSFI APIs security standards; and implementation of a Web Application Firewall (WAF) in front of API resources by validating and monitoring API traffic to protect core applications.
The “strengthening endpoint protection, particulary on mobile applications connecting through APIs, to prevent unauthorized API connections and static/dynamic code analysis” is also recommended by the central bank. To achieve this, the BSP said these mobile applications should be implemented: source code obfuscation; restriction on the installation on unsecure mobile devices/instance; periodic changes on the mobile application’s unique identifiers such as public key, globally unique identifier (GUID), and universally unique identifier (UUID); and ensuring that potential reconnaissance/footprinting of previous mobile application versions are addressed upon implementation of additional security controls.
The BSP said a “clearly define and delineate roles and responsibilities on information security and cybersecurity for API interconnectivity between BSFIs and partners” is also recommended as part of controls and processes.
“The controls specified in this memorandum are not exhaustive. BSFIs may likewise adopt any other generally accepted good practices for API applicable to the use cases that may not be captured in this memorandum,” said Fonacier.