APIs are the connective tissue of Singapore's digital financial sector โ powering payments, open banking initiatives, and integrations between financial institutions and fintech partners. As this reliance grows, API security becomes a central concern. This article describes API security testing grounded in established practices and the Singapore regulatory context.
Why APIs Matter Under MAS Expectations
The MAS TRM Guidelines take a defence-in-depth approach and expect financial institutions to preserve the confidentiality, integrity, and availability of data and IT systems. APIs, as the interfaces through which data and transactions flow, are squarely within this scope. As financial institutions expose more functionality through APIs โ to partners, to fintech integrators, to their own mobile apps โ each API becomes an information asset that must be secured and tested.
The Vulnerability Classes That Matter
API security testing must go well beyond simple input fuzzing. The most consequential API vulnerabilities are typically authorisation and business-logic flaws:
**Broken Object Level Authorization (BOLA)** โ the most common critical API vulnerability, where one user can access another's data by manipulating object identifiers. Automated tools struggle with this because they don't understand which objects should belong to which users.
**Broken Function Level Authorization** โ where a regular user can invoke privileged or administrative API functions.
**Unrestricted access to sensitive business flows** โ where legitimate API functionality is abused at scale, for example to enumerate accounts or extract data.
**Business-logic abuse in transaction APIs** โ particularly relevant for payment and financial APIs, where manipulating the sequence or parameters of API calls can result in unauthorised value transfer.
Why Manual Testing Is Essential
These vulnerabilities require human testers who understand both the API's technical structure and the business context of what it does. An automated scanner can verify that an API endpoint requires authentication; it cannot determine whether an authenticated user can access data they should not, because it does not understand the intended authorisation model. This is why effective API security testing combines automated discovery with expert manual testing.
The Open Banking Dimension
As Singapore's financial sector embraces API-driven open banking and partnerships, APIs increasingly expose core financial functionality to external parties. This expands the attack surface and makes rigorous, independent API security testing โ aligned with the MAS expectation of testing by independent qualified assessors โ increasingly important.
How Simuna Infosec Helps
Our API Security Testing service tests REST, GraphQL, and SOAP APIs against the full OWASP API Security Top 10 and applies custom business-logic testing designed for payment and financial workflows. We have deep experience with the BSS and payment APIs that carry revenue for telecom and financial clients, giving us the domain understanding needed to find the authorisation and business-logic flaws that matter most.
*This article describes general security testing principles and references publicly available regulatory information as of mid-2026.*