Automated Assistance to the Security Assessment of API for Financial Services

APIs used in financial services—particularly PSD2-compliant Open Banking interfaces—require robust security due to their exposure to authentication, authorization, and payment initiation operations. This work presents an automated framework for the security assessment of PSD2 APIs that integrates Transport Layer Security (TLS) misconfiguration detection with automated penetration testing of business and security-critical API flows.

TLS is widely deployed as the foundational security layer for PSD2 and Open Banking APIs, yet misconfigurations remain common and can expose financial institutions to severe risks. Our approach tightly couples vulnerability identification and mitigation synthesis, providing actionable countermeasures that significantly improve the security posture of API ecosystems.

The framework supports end-to-end analysis—from session-level TLS weaknesses to higher-level API vulnerabilities—offering a unified workflow that enhances financial services security, regulatory compliance, and secure-by-design development practices.