In graph we trust: Microservices, GraphQL and security challenges
Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.
This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.
We will cover the following as part of this presentation:
- GraphQL use cases and how unicorns use them
- Benefits and security challenges with GraphQL
- Authentication and Authorisation
- Resource exhaustion
- Backend complexities with microservices
- Need for tweaking conventional DevSecOps tools for security assurance
- Security solutions which works with GraphQL