SPECIAL FEATURE
34 banks are outsourcing a large proportion of their development work . “ It ’ s a case of a lot of outsourcing , but very little checking . The developers will approach the bank , needing the tokens and keys to work through the app and , once the banks have given the information over , they ’ re washing their hands of it so it ends up embedded in the app – there ’ s no visibility . I even encountered banks that made ownership of their app development a function of their marketing team .”
We live in an API-first world , Knight believes . The problem with that world is that many organisations don ’ t understand how to secure their APIs . “ If all you have is a hammer , everything looks like a nail ,” she said . “ They ’ re securing them with web application firewalls or API gateways , and that ’ s wrong . In many API breaches , the organisations had API gateways in place , but they ’ re not using API security gateways . And that ’ s because we ’ re not shifting left in security , meaning that when we ’ re developing the app , we need to be implementing security controls in the development process , sending our developers to secure development training , and budgeting for that . We need to be looking at APIs differently .”
And it ’ s the last point that lies behind one of Knight ’ s several recommendations to counter the problem : hire hackers , not developers . The latter , she told Money20 / 20 , “ are drunk on their own Kool-Aid ,” insisting that banks should “ hire people like me and hack yourselves before somebody else does , and then tries to sell you their findings . Banks should also focus on static and dynamic code analysis
DECEMBER 2019