We just released GraphQLscanning support to ensure that you can ship secure GraphQL APIs. We 'll jump into the specifics of the solution and follow up with a demo, let’s do a quick overview of the GraphQL specification. This is a unique space with an interesting set of challenges.
Working with the latest tech is fun. It’s fresh and exciting. As developers we feel invigorated by being on the bleeding edge. Consider us thrillseekers.
Thrills, however, shouldn’t come from 2am alerts resulting in the binge triaging of production security bugs found in that latest tech stack. Perhapsit’s the reason you’re here. Perhaps you believe, like we do, that bugsare best squashed before deploying to prod.
StackHawk was built to help developers ship secure applications. Existingsecurity testing tools do not work well with modern developmentparadigms. We’ve built functionality to ensure that modern developerscan run security tests simply, including CI integrations, scanning REST API backed applications, and more.As we work to cover the modern application stack, we were well aware of the black hole for GraphQL security testing.We just released GraphQLscanning support to ensure that you can ship secure GraphQL APIs.
But before we jump into the specifics of the solution and follow up with a demo, let’s do a quick overview of the GraphQL specification. This is a unique space with an interesting set of challenges.
If you’re already well versed in GraphQL and the potential challenges posed by its current state of scan-ability, please feel free to skip ahead to How it Works for a demo and walkthrough.
If you enjoy a little flavor and some additional back story then I welcome you to join me on a brief detour.
Now unless your tech stack has been in a quarantine with the rest of us, you’ve probably seen GraphQL implementations in the wild. If your business is inline with, or already one of the 3,026 star adopters reported in the GraphQL Landscape, then you’re probably already building and deploying a GraphQL API in production today.
Again, being at the forefront of change is always an exciting adventure, but have you taken time to ask yourself…
How secure is my GraphQL API?
If we take a look at some of the numbers, such as the GraphQL statistics report for Drupal customers or this survey on the most exciting API technologies, we get a sense of how this new specification continues gaining traction.
A rising popularity of any new technology typically results in a rise in broken implementations. Considering most of these apps are likely to lack proper testing we suddenly have some serious concerns.
While our craft remains the same despite new paradigms, the way in which we express ourselves through our systems will naturally have to be adjusted. This change presents a potential breeding ground for unchecked vulnerabilities on new and existing web apps.
At StackHawk, we believe it is important to simplify and automate security testing for your applications.
Indeed. The specification on the surface defines an outline for representing and interfacing with your data… as a graph and stuff.
At its core GraphQL works on the principle that data is interconnected and can be effectively represented as vertices on a graph. Most of us will be aware that this means two or more pairs of connected vertices, having one or more edges which may or may not come together to form forests,trees and leaves in a directed, acyclical or cyclical fashion, etc, ad infinitum… recursively, and on and on.
This is all just to say that the designers of GraphQL have brilliantly outlined the capacity for engineers to represent data in pretty much any complex structure desired (or maybe not desired). Anything goes as long as the implementation is within the confines of the specification and meets a few key criteria.
It’s the Wild West of the web! In fact, if you live in a quiet part of the city on dark summer evenings and draw the blinds, turn down the lights, and listen very carefully, you may just catch the sound of the faint grumblings emitted by backend engineers all over as they beg for mercy from the agony of rearchitecting their RESTful service into the promised land The Graph.
Now, this is dangerously close to falling into some wretched and poorly written essay about graph theory and the GraphQL API, but that would never be nearly as informative as what’s already available at GraphQL so let’s fast forward to what this all means for the security bottom-line.
Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them
Learn Cyber Defense programming by Cyber Security Training. Know how to stop tactics of ransomware, malware, social engineering, phishing by hacking course.
In this article, see if there are any differences between software developers and software engineers. What you’re about to read mostly revolves around my personal thoughts, deductions, and offbeat imagination. If you have different sentiments, add them in the comment section, and let’s dispute! So, today’s topic…
This week, look at the recent vulnerability in Cisco Data Center Network Manager, the API aspect of the data breach at MGM Grand Resort, and more.
Take a look at the top 10 OWASP security risks, learn what each of them means, and how you can mitigate them.