API Security Testing for Singapore Fintechs: Risks, Methods & Compliance

APIs are the connective tissue of Singapore's fintech ecosystem — linking payment platforms, open banking services, third-party integrations, and mobile frontends. They are also the most exploited attack surface in financial services globally. The 2023 Salt Security State of API Security Report found that 94% of organisations experienced API security incidents in the prior 12 months. For Singapore fintechs operating under MAS TRM, API security testing is not optional.

When commissioning API security testing in Singapore, verify that your provider holds a CSRO (Cybersecurity Service Provider Regulation Order) licence from CSA — it is a legal requirement under the Cybersecurity Act for any firm conducting penetration testing services in Singapore.

OWASP API Security Top 10: What Fintechs Face

OWASP's API Security Top 10 defines the most critical API vulnerabilities. For fintechs, the most consequential are:

API1: Broken Object Level Authorisation (BOLA)

The most common and most damaging API flaw. An attacker modifies an object ID in an API request (e.g., changing account_id=12345 to account_id=12346) and receives another user's data. In payment APIs, this can expose transaction histories, account balances, and personal information at scale. BOLA is endemic in poorly-tested fintech APIs and is entirely invisible to automated scanners — it requires manual testing.

API2: Broken Authentication

Weak or incorrectly implemented authentication mechanisms — missing token expiry, insecure token transmission, or absent rate limiting on authentication endpoints — allow attackers to take over accounts or perform unauthorised transactions.

API3: Broken Object Property Level Authorisation

APIs that return more data than the client needs (mass assignment) or that allow clients to modify properties they should not. A payment API that returns the full card number when only the last four digits are needed has already failed this control.

API8: Security Misconfiguration

Default configurations, open debug endpoints, verbose error messages, and misconfigured CORS policies create entry points that are trivially exploitable. Particularly common in APIs deployed to cloud infrastructure without a hardening baseline.

API Security Testing Methods

Black-Box API Testing

Testing with no prior knowledge of the API design. The tester discovers endpoints through documentation, JavaScript analysis, and traffic interception. Approximates an external attacker with no insider knowledge. Appropriate for testing public-facing APIs and open banking endpoints.

Grey-Box API Testing

Testing with API documentation and test credentials but no access to source code. The most common approach for MAS TRM compliance — covers authenticated and unauthenticated endpoints, business logic flows, and authorisation boundaries.

White-Box API Testing

Testing with full access to API specifications, source code, and architecture documentation. Most thorough — allows testers to identify vulnerabilities in code paths that may not be reachable through black-box or grey-box testing. Appropriate for high-value APIs where maximum coverage is required.

MAS TRM and API Security

MAS TRM §10 covers internet-facing systems and third-party interfaces — both of which encompass APIs. For Singapore fintechs operating under MAS Payment Services Act licences, APIs connecting to payment networks, partner banks, or customer-facing mobile applications fall squarely within the annual penetration testing requirement.

Additional MAS requirements relevant to API security:

• API authentication — MAS expects strong authentication (OAuth 2.0, mutual TLS) for APIs accessing customer data or payment functions
• Rate limiting and abuse prevention — APIs must implement controls to detect and block automated abuse
• Logging and monitoring — All API calls to sensitive endpoints must be logged with sufficient detail for incident investigation
• Third-party API security — APIs provided to partners must be scoped and assessed as part of third-party risk management

Open Banking API Security in Singapore

MAS has been actively promoting open banking through its API Exchange (APIX) platform and the Financial Industry API Register. As Singapore fintechs expose more functionality through open APIs, the attack surface expands proportionally. Security controls specific to open banking APIs:

• Implement OAuth 2.0 with PKCE for authorisation code flows
• Use short-lived access tokens (15–30 minutes maximum) with refresh token rotation
• Implement API gateways with WAF capabilities and anomaly detection
• Version APIs explicitly — retired versions must be decommissioned, not left accessible
• Conduct security testing before every major API version release, not just annually

Choosing an API Security Testing Provider in Singapore

API security testing requires both technical skill and regulatory knowledge. Your provider should be:

• CSRO-licensed — verify on CSA's register of licensed cybersecurity service providers
• CREST-accredited — with CCT Web Application or equivalent certified testers assigned to your engagement
• Experienced with fintech API architectures — REST, GraphQL, gRPC, and payment-specific protocols
• Familiar with OWASP API Security Top 10 and MAS TRM requirements
• Able to produce documentation meeting MAS examination standards

Infinite Cybersecurity conducts API security testing as part of comprehensive VAPT engagements for Singapore fintechs. Our CREST-certified, CSRO-licensed team covers the full OWASP API Top 10 and produces MAS TRM-aligned documentation. Contact us to discuss your API testing requirements.