Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

In graph we trust: Microservices, GraphQL and security challenges

594 views

Published on

In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran

Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.

This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.

We will cover the following as part of this presentation:

GraphQL use cases and how unicorns use them
Benefits and security challenges with GraphQL
Authentication and Authorisation
Resource exhaustion
Backend complexities with microservices
Need for tweaking conventional DevSecOps tools for security assurance
Security solutions which works with GraphQL

Published in: Software
  • Be the first to comment

In graph we trust: Microservices, GraphQL and security challenges

  1. 1. Join the conversation #DevSecCon BY MOHAMMED A. IMRAN In graph we trust: Microservices, GraphQL and security challenges
  2. 2. Hi, I’m Imran secfigo^
  3. 3. I work at
  4. 4. I work at Ahem!
  5. 5. Lets talk about Gold Rush
  6. 6. Lets talk about Modern Gold Rush
  7. 7. I mean
  8. 8. The Next Big Thing
  9. 9. The Next Big Thing { REST API }
  10. 10. GraphQL History Gold Rush201620152012 2017 Github previewed its GraphQL API v4 GITHUB Facebook started working on it. START Github, pinterest, Spotify, twitter and many more Members Facebook open sourced GraphQL PUBLIC RELEASE
  11. 11. GraphQL GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools. source: graphql.org
  12. 12. Multiple resources in one request (speed) Versioning hell Schema Introspection Simple and Efficient to use Benefits & Use Cases
  13. 13. Multiple resources in one request 1
  14. 14. ≈ç Let’s Create a Github Secret Scanner Example
  15. 15. List of Repositories1 List of branches in repo2 Scan the code in branch3 1 2 3 4 Analyse for secrets4
  16. 16. Lets get list of Repositories Using v3 GitHub API - https://developer.github.com/v3/repos/#list-user-repositories
  17. 17. { REST API } GET /users/secfigo/repos
  18. 18. { REST API }{ "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0, "license": { "key": "mit", "name": "MIT License", "spdx_id": "MIT", "url": "https://api.github.com/licenses/mit", "html_url": "http://choosealicense.com/licenses/mit/" }, "organization": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "Organization", "site_admin": false }, "parent": { "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0 }, "source": { "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0 } } About 2097 lines GET /users/secfigo/repos
  19. 19. { REST API } GET /users/secfigo/repos [ { "id": 112903642, "name": "ansible-role-gauntlt", "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}”, "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", ... ]
  20. 20. { REST API } GET /users/secfigo/repos [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }]
  21. 21. { REST API } [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }] GET /users/secfigo/repos
  22. 22. { REST API } [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/ branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }] GET /users/secfigo/repos
  23. 23. ō Get a list of repositories. DEMO
  24. 24. Lets get list of branches
  25. 25. { REST API } GET /users/secfigo/repos Response: List of Repos { REST API } GET repos/se../an…/git/refs
  26. 26. { REST API } GET /users/secfigo/repos Response: List of Repos { REST API } GET repos/sec../an…/git/refs [ …, { "ref": "refs/heads/prod", "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/refs/h "object": { "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/comm 083a7ad90adb44003926fb93cc879cf099f5b693" } }, …]
  27. 27. query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/", first:30){ edges{ node{ name } } } } } } } }
  28. 28. ō Get a list of branches with/without graphQLDEMO
  29. 29. Different Versions of API 2
  30. 30. https://api.site.com/v1 { REST API } v1 v2 https://api.site.com/v2
  31. 31. https://api.site.com/v1 { REST API } type Query { hero: Character } type Character { name: String friends: [Character] } type Query { hero: Character } type Character { name: String friends: [Character] planet: String } v1 v2 https://api.site.com/v2
  32. 32. Schema Introspection 3
  33. 33. { REST API } query { __type(name: "Repository") { name kind description fields { name } } } Read API Documentation
  34. 34. Simple and Efficient 4
  35. 35. { REST API } query { user(login:"secfigo") { name } } Fetch Everything
  36. 36. Authentication Denial of Service (Resource Exhaustion) Authorization Error Handling Security Issues
  37. 37. Authentication 1
  38. 38. Authentication
  39. 39. Typical HTTP/REST Auth’n
  40. 40. graphQL doesn’t have middleware Resolver(s)
  41. 41. graphQL - No Middleware Resolver(s)
  42. 42. Resource Exhaustion 2
  43. 43. query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/"){ edges{ node{ name edges{ node{ … edges{ node{ … } … } NESTED QUERIES
  44. 44. Authorization 2
  45. 45. Authorization IsAuthorized?Base Resolver isAuthn Resolver isAuthz Resolver
  46. 46. Error Handling 4
  47. 47. query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/", first:30){ edges{ <— Error here node{ name edges{ node{ … edges{ node{ <— Error here … } } } … } NESTED QUERIES
  48. 48. µ Microservices µ µ+
  49. 49. The microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API. µ Microservices µ µ
  50. 50. Data Access Layer UI Business Logic UI µ µ µ µ µ Monolith Microservices
  51. 51. µ Source: https://martinfowler.com/articles/microservices.html
  52. 52. Source: https://medium.com/netflix-techblog/vizceral-open-source-acc0c32113fe
  53. 53. DevSecOps Challenges
  54. 54. Look mom, new kind! No tools for you
  55. 55. New tech, SAST on backend is not mature. Use existing tools and code review
  56. 56. DAST can be automated using existing Developer tooling like tests, run via selenium and pump it through proxy Or Use curl to create custom queries.
  57. 57. OAST is still possible. OAST- Made up term for Open source Application Component Security Testing.
  58. 58. source: https://github.com/graphql/graphiql
  59. 59. DevSecOps Maturity Model (SDOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  60. 60. Security Champions
  61. 61. Shifting Left, literally OpsOps
  62. 62. A virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
  63. 63. Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
  64. 64. Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
  65. 65. Join the conversation #DevSecCon Thank you @secfigo

×