In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran
Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.
This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.
We will cover the following as part of this presentation:
GraphQL use cases and how unicorns use them
Benefits and security challenges with GraphQL
Authentication and Authorisation
Resource exhaustion
Backend complexities with microservices
Need for tweaking conventional DevSecOps tools for security assurance
Security solutions which works with GraphQL
12. GraphQL History
Gold Rush201620152012 2017
Github previewed its
GraphQL API v4
GITHUB
Facebook started working
on it.
START
Github, pinterest, Spotify,
twitter and many more
Members
Facebook open sourced
GraphQL
PUBLIC RELEASE
13. GraphQL
GraphQL is a query language for APIs and a runtime for
fulfilling those queries with your existing data.
GraphQL provides a complete and understandable description of
the data in your API, gives clients the power to ask for exactly what
they need and nothing more, makes it easier to evolve APIs over
time, and enables powerful developer tools.
source: graphql.org
14. Multiple resources in one request (speed)
Versioning hell
Schema Introspection
Simple and Efficient to use
Benefits & Use Cases
33. https://api.site.com/v1
{ REST API }
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
}
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
planet: String
}
v1 v2
https://api.site.com/v2
52. The microservice architectural style is an
approach to developing a single application
as a suite of small services, each running in
its own process and communicating with
lightweight mechanisms, often an HTTP
resource API.
µ
Microservices
µ
µ
58. New tech, SAST on backend is not mature.
Use existing tools and code review
59. DAST can be automated using existing
Developer tooling like tests, run
via selenium and pump it through proxy
Or
Use curl to create custom queries.
60. OAST is still possible.
OAST- Made up term for Open source Application
Component Security Testing.
65. A virtual environment to learn and
teach DevSecOps concepts.
Its easy to get started and is mostly
automatic.
DevSecOps
Studio
https://github.com/teacheraio/DevSecOps-Studio/
66. Easy to setup
Takes only few mins to setup and
start using with just one command
A
Reproducible
The aim of this project is to
setup reproducible
DevSecOps Lab environment
for learning and testing
different tools.
B
Free & Open
Source Software
This project is a free
and open software to
help more people learn
about DevSecOps
C
DevSecOps
Studio Benefits
67. Conway’s Law
Any organization that designs a system
(defined broadly) will produce a design
whose structure is a copy of the
organization's communication structure.
“