Confs Space
Security Feb 22, 2018

In graph we trust: Microservices, GraphQL and security challenges

DevSecCon Singapore 2018
DevSecCon Singapore 2018 Conference Collection

Speaker: Imran Mohammed, Senior Security Engineer, Zendesk

Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.

This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.

We will cover the following as part of this presentation:

  1. GraphQL use cases and how unicorns use them
  2. Benefits and security challenges with GraphQL - Authentication and Authorisation - Resource exhaustion - Backend complexities with microservices
  3. Need for tweaking conventional DevSecOps tools for security assurance
  4. Security solutions which works with GraphQL

BIOGRAPHY

Imran “secfigo” Mohammed is a seasoned security professional with 8 years of experience in helping organizations with their Information Security Programs. He has a diverse background in R&D, consulting and product-based industries with a passion to solve complex security programs. Imran is the founder of Null Singapore, the largest information security community in Singapore where he has organized more than 60 events & workshops to spread security awareness. He was also nominated as community star for being the go-to person in the community whose contribution and knowledge sharing has helped many professionals in the security industry.

#DevSecOps #DevOp #SecOps #Security #Hacking