Towards Secure Open Banking Architecture: An Evaluation with OWASP

The European Union passed the PSD2 regulation in 2015, which gives ownership of bank accounts to the private person owning it. As a result, the term Open Banking, allowing third party providers and developers access to bank APIs, has emerged, welcoming a myriad of innovative solutions for the financial sector. However, multiple cyber security issues arise from exposing bank data to third party providers through an API. In this work, we propose an architectural model that ensures clear separation of concern and easy integration with Nordea's Open Banking APIs (sandbox version), and a technological stack, consisting of the micro-framework Flask, the cloud application platform Heroku and persistent data storage layer (using Postgres). We analyze the web application's security threats, and determine whether or not the technological frame provides adequate security protection, by leveraging the OWASP Top 10 list of the Ten Most Critical Web Application Security Risks. Our results can support future developers and industries working on web applications for Open Banking towards security improvement by choosing the right frameworks and considering the most important vulnerabilities, as well as contributing to the documentation and development of Nordea's APIs.