Every so often, the issue of API security makes it into the headlines. When it does, it is usually because of a vulnerability or a successful attack. As always, the many instances when things go as planned are not reported. That’s one of the reasons why Sila’s API hasn’t been in the news in that way.
Still, we thought it’s a good opportunity to reiterate what we do to ensure API security on our platform. Risk mitigation is one of our key efforts. Here are a few common vulnerabilities where other systems sometimes fail. In every single case, we can say that this is not a vulnerability in our system.
- Vulnerability: Access to other end user’s financial records
Remediation: In our system, only the Sila customer (app) that created an entity (e.g. end-user) can access that end user’s transaction history. For added security, SSNs and bank accounts are set to be masked to the last 4 digits.
- Vulnerability: Ability for users to delete other user accounts
Remediation: In our system, only the Sila customer (app) that created an entity (end user) can delete that entity.
- Vulnerability: Any user can take over any account
Remediation: Currently this would require access to both the customer’s (app) private key and the entity’s (end-user) private key. As a next step, this functionality will be tied to the customer (app) access secrets and tokens, and would only allow access to customers that were created by or linked to them.
- Vulnerability: Any user could create a denial-of-service condition that would render entire applications unavailable.
Remediation: The system would have to get attacked by multiple simultaneous requests over a long period of time for performance to degrade. In all practicality, this is not a real danger since we a) limit result sizes and b) would be alerted of any load spikes. We would be able to identify the customer (app) causing the malicious behavior, and we would suspend that app’s access. Prior to reactivating their access, we would reach out to them, notifying them of the incident and looking for ways to resolve it.
If you have any questions or concerns, reach out to email@example.com or directly to your customer experience manager.