What are APIs anyway? O’Reilly’s APIs: A Strategy Guide offers this technical definition: “An Application Programming Interface (API) is a way for two computer applications to talk to each other over a network (predominantly the Internet) using a common language that they both understand.” Connecting systems with APIs can offer huge benefits from a technical and business standpoint.
Practically speaking for family offices, using APIs replaces moving data around from one system to another manually by allowing software and computers to talk directly to each other.
In fact, the state-of-the-art software that most family offices use, such as Addepar or AgilLink by Datafaction, are written to take advantage of APIs. This software uses the internet to store and send data (so-called cloud computing) so both the software and the information it handles is accessible from anywhere.
With APIs, we can program these systems to talk to each other and understand the data from one another directly. This automates previously manual tasks, reducing errors and improving security. However, for this to work smoothly and securely, one must invest in security that is integrated within the API implementation itself.
That’s why we work with the data security experts — Cypress Data Defense. We were fortunate enough to speak with Steve Kosten, Director of Application Security at Cypress Data Defense – Application and Software Development Lifecycle Experts, about the security issues and remediations surrounding APIs and how to maximize their effectiveness and ensure their impregnability.
API Advantages and Risks
Errors
Let’s use InvestLink by Datafaction as an example. The software can read the language of investments, transactions, positions, and tax lots, and translate to the language of accounting, double-entry, bookkeeping, GL accounts, ledgers, and journal entries. With this integration, we can automate what was previously manual tasks like manually booking investment data off of statements or off of reports. By using APIs with these systems, it keeps humans out of the loop. The systems are communicating directly so family office users don't have to manually move that data around. This creates a process that is as secure outside the office as it is inside the office, creating an ideal remote work environment.
Kosten offers a few caveats. While the direct communication between systems afforded by APIs prevents data transfer and manipulation, it is not the same as having human eyes to determine if the output meets expectations. Without real people checking the output, even the best of APIs can go off the rails quickly.
Kosten explains: “For example, a user may expect a data output of $10,000, but suddenly receive $1,000,000. While this error is a bit exaggerated, the point is that since a human’s eyes are not looking at these figures, an otherwise quick fix can spiral out of control.”
The takeaway — APIs are an important tool that family offices or any business can take advantage of to deliver quick and accurate results. However, there must be human review of the final products to make sure that a software error doesn’t get propagated.
Security
Kosten notes that APIs are not inherently secure, and therefore can easily be set up improperly. To mitigate the risks, proper controls must be put in place. He recommends starting with the resources offered by the Open Source Foundation for Application Security (OWASP). OWASP offers 10 security points to consider when using APIs.
Controls
While the following is by no means an exhaustive list, below are a few key controls to reduce the risk of errors and security breaches that are recommended by Kosten and Cypress Data Defense. To find out more about the security risks mentioned here and others, jump to the Resources section at the end of this post.
Data Validation
According to Kosten, controls come from developers. Key controls include those that ensure accuracy, like data validation. Examples include the range you expect, the type expected, and the format expected.
Authentication/Authorization
When APIs were first introduced, people thought the APIs were completely invisible to bad actors, making them more secure. The truth is, hackers can find them. This is where authentication and authorization controls come into play. These better ensure that hackers cannot access secure information. Enforcing author identification restricts what agents can and cannot do.
Testing
One of the reasons we work with Cypress Data Defense is their commitment to testing. Don’t wait for the real-world scenario — run penetration tests that replicate an external attack targeting API endpoints. This saves you grief in the long run, while also putting human eyes on the systems more frequently.
Security as Part Of Your Development and Implementation Cycle
Kosten advises the best practice of running a secure software development lifecycle (SDLC) within your integration process. This embeds secure application and API development within the development and implementation process itself.
Kosten and his team cite these benefits of using a secure SDLC:
- Early identification of vulnerabilities in the application’s security.
- More secure software, as security is a continuous concern.
- Stakeholders are aware of the security risks in real-time.
- Reduced cost, time, and effort to mitigate security risks, as they are detected early in the SDLC.
- An overall reduction in business risks for the enterprise.
Incorporating a secure SDLC ensures your development process tests applications and APIs as they are developed and before they can compromise systems once they are pushed to production.
What Does This Mean for Wealth Managers?
Thanks to cloud computing and APIs in integration platforms, systems can talk to each other directly, even if they are operating as independent applications for different vendors. This allows family offices to gain efficiencies in response time, security, scalability, and productivity. However, to get the most out of the advantages APIs give us, attention must be paid to controlling errors and security as part of the software development, integration, and implementation process. This is why we rely on experts like Steve Kosten and Cypress Data Defense to ensure that our processes and products are secure so the solutions we offer our clients are protected.
Resources
REST is probably the most common type of API, and it is what most in the industry use right now. There are all sorts of considerations for REST API security.
OWASP's REST Security Cheat Sheet
OWASP’s lay description of API security vulnerabilities, Understanding the OWASP API Security Top 10.
This overview of OWASP's API Security Project offers a lot of easy-to-understand information.
For other technology security questions you might have, we suggest you visit the Cypress Data Defense blog for straightforward answers that include definitions of technical terms.
