The Updated OWASP API Security Top 10 for 2023 is Here
The Open Web Application Security Project (OWASP)…
Uber just announced it will add the ability to book long-distance travel on planes, trains, and buses, reflecting the company’s ambitions to become a travel “super app.” A pilot project is being launched in the U.K. that will integrate offers from travel partners into the Uber app.
Apps like WeChat and Alipay in China show us what’s possible when an entire country leapfrogs over the PC era directly to mobile. And while the contexts and nuances differ significantly, companies are now following the trend started by the East and dipping their toes into super apps.
Creating a platform instead of a single-use app has become the goal as it allows providers to leverage customer loyalty and data to greatly expand services and reach.
From a technical point of view this presents some interesting challenges, the “super app” now has more and more connectivity to external services and becomes harder to understand from a threat perspective. How are these connections implemented, and which APIs can communicate using what kinds of privileges?
Because of the Open Banking policy directive, most banking institutions are now enabling super-apps to correlate financial data from multiple sources to better understand and serve their target customers. Banks are seeing that customers are willing to trade in their loyalty to established incumbent banks for the convenience that fintech startups can provide. All this inter-financial connectivity is API-led and needs to be done securely to maintain customer trust.
Super-apps can also use open banking data coupled with technologies such as artificial intelligence (AI) and machine learning (ML) to make data-driven decisions and develop customer-focused products across the ecosystem. As consumers are rightfully more and more sensitive to privacy issues, being able to do so securely and safely is key.
Another example of a super-app is Gojek based out of Indonesia. They provide an excellent account of their journey to maintain a world-class security program for a Super App.
They describe how they spend most of their time testing the existing app to find technical and logical security bugs, and get them patched.
Some major bug classes they encountered were:
Today there are multiple options in securing the many tentacles of a super app, from inline security devices to API gateways, to dedicated API security platforms, and bringing security earlier into the development lifecycle by “shifting-left”. Nothing will drive users away from your platform quicker than the loss of trust, so maintaining a good security posture whilst delivering these new and exciting services to the market will be key.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.