SlideShare a Scribd company logo

In graph we trust: Microservices, GraphQL and security challenges

Mohammed A. Imran
Mohammed A. Imran

In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong. This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline. We will cover the following as part of this presentation: GraphQL use cases and how unicorns use them Benefits and security challenges with GraphQL Authentication and Authorisation Resource exhaustion Backend complexities with microservices Need for tweaking conventional DevSecOps tools for security assurance Security solutions which works with GraphQL

Software
1 of 68
Download to read offline
Join the conversation #DevSecCon BY MOHAMMED A. IMRAN In graph we trust: Microservices, GraphQL and security challenges
Hi, I’m Imran secfigo^
I work at
I work at Ahem!
Lets talk about Gold Rush
Lets talk about Modern Gold Rush
I mean
The Next Big Thing
The Next Big Thing { REST API }
GraphQL History Gold Rush201620152012 2017 Github previewed its GraphQL API v4 GITHUB Facebook started working on it. START Github, pinterest, Spotify, twitter and many more Members Facebook open sourced GraphQL PUBLIC RELEASE
GraphQL GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools. source: graphql.org
Multiple resources in one request (speed) Versioning hell Schema Introspection Simple and Efficient to use Benefits & Use Cases
Multiple resources in one request 1
≈ç Let’s Create a Github Secret Scanner Example
List of Repositories1 List of branches in repo2 Scan the code in branch3 1 2 3 4 Analyse for secrets4
Lets get list of Repositories Using v3 GitHub API - https://developer.github.com/v3/repos/#list-user-repositories
{ REST API } GET /users/secfigo/repos
{ REST API }{ "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0, "license": { "key": "mit", "name": "MIT License", "spdx_id": "MIT", "url": "https://api.github.com/licenses/mit", "html_url": "http://choosealicense.com/licenses/mit/" }, "organization": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "Organization", "site_admin": false }, "parent": { "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0 }, "source": { "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0 } } About 2097 lines GET /users/secfigo/repos
{ REST API } GET /users/secfigo/repos [ { "id": 112903642, "name": "ansible-role-gauntlt", "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}”, "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", ... ]
{ REST API } GET /users/secfigo/repos [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }]
{ REST API } [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }] GET /users/secfigo/repos
{ REST API } [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/ branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }] GET /users/secfigo/repos
ō Get a list of repositories. DEMO
Lets get list of branches
{ REST API } GET /users/secfigo/repos Response: List of Repos { REST API } GET repos/se../an…/git/refs
{ REST API } GET /users/secfigo/repos Response: List of Repos { REST API } GET repos/sec../an…/git/refs [ …, { "ref": "refs/heads/prod", "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/refs/h "object": { "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/comm 083a7ad90adb44003926fb93cc879cf099f5b693" } }, …]
query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/", first:30){ edges{ node{ name } } } } } } } }
ō Get a list of branches with/without graphQLDEMO
Different Versions of API 2
https://api.site.com/v1 { REST API } v1 v2 https://api.site.com/v2
https://api.site.com/v1 { REST API } type Query { hero: Character } type Character { name: String friends: [Character] } type Query { hero: Character } type Character { name: String friends: [Character] planet: String } v1 v2 https://api.site.com/v2
Schema Introspection 3
{ REST API } query { __type(name: "Repository") { name kind description fields { name } } } Read API Documentation
Simple and Efficient 4
{ REST API } query { user(login:"secfigo") { name } } Fetch Everything
Authentication Denial of Service (Resource Exhaustion) Authorization Error Handling Security Issues
Authentication 1
Authentication
Typical HTTP/REST Auth’n
graphQL doesn’t have middleware Resolver(s)
graphQL - No Middleware Resolver(s)
Resource Exhaustion 2
query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/"){ edges{ node{ name edges{ node{ … edges{ node{ … } … } NESTED QUERIES
Authorization 2
Authorization IsAuthorized?Base Resolver isAuthn Resolver isAuthz Resolver
Error Handling 4
query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/", first:30){ edges{ <— Error here node{ name edges{ node{ … edges{ node{ <— Error here … } } } … } NESTED QUERIES
µ Microservices µ µ+
The microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API. µ Microservices µ µ
Data Access Layer UI Business Logic UI µ µ µ µ µ Monolith Microservices
µ Source: https://martinfowler.com/articles/microservices.html
Source: https://medium.com/netflix-techblog/vizceral-open-source-acc0c32113fe
DevSecOps Challenges
Look mom, new kind! No tools for you
New tech, SAST on backend is not mature. Use existing tools and code review
DAST can be automated using existing Developer tooling like tests, run via selenium and pump it through proxy Or Use curl to create custom queries.
OAST is still possible. OAST- Made up term for Open source Application Component Security Testing.
source: https://github.com/graphql/graphiql
DevSecOps Maturity Model (SDOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
Security Champions
Shifting Left, literally OpsOps
A virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
Join the conversation #DevSecCon Thank you @secfigo

Recommended

Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 

Recommended

Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
Rob Daigneau
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Opensocial Haifa Seminar - 2008.04.08
Opensocial Haifa Seminar - 2008.04.08Opensocial Haifa Seminar - 2008.04.08
Opensocial Haifa Seminar - 2008.04.08
Ari Leichtberg
 
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIsThe liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
Jorge Ferrer
 

More Related Content

What's hot

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
Rob Daigneau
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 

What's hot (20)

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 

Similar to In graph we trust: Microservices, GraphQL and security challenges

Opensocial Haifa Seminar - 2008.04.08
Opensocial Haifa Seminar - 2008.04.08Opensocial Haifa Seminar - 2008.04.08
Opensocial Haifa Seminar - 2008.04.08
Ari Leichtberg
 
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIsThe liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
Jorge Ferrer
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Ajaxworld Opensocial Presentation
Ajaxworld Opensocial PresentationAjaxworld Opensocial Presentation
Ajaxworld Opensocial Presentation
Chris Schalk
 
grlc: Bridging the Gap Between RESTful APIs and Linked Data
grlc: Bridging the Gap Between RESTful APIs and Linked Datagrlc: Bridging the Gap Between RESTful APIs and Linked Data
grlc: Bridging the Gap Between RESTful APIs and Linked Data
Albert Meroño-Peñuela
 
API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015
Tom Johnson
 
GraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-DevelopmentGraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-Development
jexp
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
Tom Johnson
 
API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)
Tom Johnson
 
Graphql usage
Graphql usageGraphql usage
Graphql usage
Valentin Buryakov
 
2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides
DuraSpace
 
Mining public datasets using opensource tools: Zeppelin, Spark and Juju
Mining public datasets using opensource tools: Zeppelin, Spark and JujuMining public datasets using opensource tools: Zeppelin, Spark and Juju
Mining public datasets using opensource tools: Zeppelin, Spark and Juju
seoul_engineer
 
Building Hypermedia APIs in JavaScript
Building Hypermedia APIs in JavaScriptBuilding Hypermedia APIs in JavaScript
Building Hypermedia APIs in JavaScript
3scale
 
APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...
APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...
APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...
apidays
 
China Science Challenge
China Science ChallengeChina Science Challenge
China Science Challenge
remko caprio
 
SgCodeJam24 Workshop
SgCodeJam24 WorkshopSgCodeJam24 Workshop
SgCodeJam24 Workshop
remko caprio
 
OpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road AheadOpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
Ted Epstein
 
Going to Infinity and Beyond Documentation with OpenAPI
Going to Infinity and Beyond Documentation with OpenAPIGoing to Infinity and Beyond Documentation with OpenAPI
Going to Infinity and Beyond Documentation with OpenAPI
Taylor Barnett
 
A Snapshot of API Design Trends In 2019
A Snapshot of API Design Trends In 2019A Snapshot of API Design Trends In 2019
A Snapshot of API Design Trends In 2019
Bill Doerrfeld
 
Crafting APIs
Crafting APIsCrafting APIs
Crafting APIs
Tatiana Al-Chueyr
 

Similar to In graph we trust: Microservices, GraphQL and security challenges (20)

Opensocial Haifa Seminar - 2008.04.08
Opensocial Haifa Seminar - 2008.04.08Opensocial Haifa Seminar - 2008.04.08
Opensocial Haifa Seminar - 2008.04.08
 
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIsThe liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIs
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Ajaxworld Opensocial Presentation
Ajaxworld Opensocial PresentationAjaxworld Opensocial Presentation
Ajaxworld Opensocial Presentation
 
grlc: Bridging the Gap Between RESTful APIs and Linked Data
grlc: Bridging the Gap Between RESTful APIs and Linked Datagrlc: Bridging the Gap Between RESTful APIs and Linked Data
grlc: Bridging the Gap Between RESTful APIs and Linked Data
 
API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015
 
GraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-DevelopmentGraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-Development
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
 
API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)
 
Graphql usage
Graphql usageGraphql usage
Graphql usage
 
2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides
 
Mining public datasets using opensource tools: Zeppelin, Spark and Juju
Mining public datasets using opensource tools: Zeppelin, Spark and JujuMining public datasets using opensource tools: Zeppelin, Spark and Juju
Mining public datasets using opensource tools: Zeppelin, Spark and Juju
 
Building Hypermedia APIs in JavaScript
Building Hypermedia APIs in JavaScriptBuilding Hypermedia APIs in JavaScript
Building Hypermedia APIs in JavaScript
 
APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...
APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...
APIdays Paris 2019 - Delivering Exceptional User Experience with REST and Gra...
 
China Science Challenge
China Science ChallengeChina Science Challenge
China Science Challenge
 
SgCodeJam24 Workshop
SgCodeJam24 WorkshopSgCodeJam24 Workshop
SgCodeJam24 Workshop
 
OpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road AheadOpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
 
Going to Infinity and Beyond Documentation with OpenAPI
Going to Infinity and Beyond Documentation with OpenAPIGoing to Infinity and Beyond Documentation with OpenAPI
Going to Infinity and Beyond Documentation with OpenAPI
 
A Snapshot of API Design Trends In 2019
A Snapshot of API Design Trends In 2019A Snapshot of API Design Trends In 2019
A Snapshot of API Design Trends In 2019
 
Crafting APIs
Crafting APIsCrafting APIs
Crafting APIs
 

More from Mohammed A. Imran

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
Mohammed A. Imran
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
Mohammed A. Imran
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
Mohammed A. Imran
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
Mohammed A. Imran
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
Mohammed A. Imran
 

More from Mohammed A. Imran (14)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Recently uploaded

Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
aymanquadri279
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 

Recently uploaded (20)

Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 

In graph we trust: Microservices, GraphQL and security challenges

  • 1. Join the conversation #DevSecCon BY MOHAMMED A. IMRAN In graph we trust: Microservices, GraphQL and security challenges
  • 2.
  • 6.
  • 10. The Next Big Thing
  • 11. The Next Big Thing { REST API }
  • 12. GraphQL History Gold Rush201620152012 2017 Github previewed its GraphQL API v4 GITHUB Facebook started working on it. START Github, pinterest, Spotify, twitter and many more Members Facebook open sourced GraphQL PUBLIC RELEASE
  • 13. GraphQL GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools. source: graphql.org
  • 14. Multiple resources in one request (speed) Versioning hell Schema Introspection Simple and Efficient to use Benefits & Use Cases
  • 15. Multiple resources in one request 1
  • 16. ≈ç Let’s Create a Github Secret Scanner Example
  • 17. List of Repositories1 List of branches in repo2 Scan the code in branch3 1 2 3 4 Analyse for secrets4
  • 18. Lets get list of Repositories Using v3 GitHub API - https://developer.github.com/v3/repos/#list-user-repositories
  • 19. { REST API } GET /users/secfigo/repos
  • 20. { REST API }{ "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0, "license": { "key": "mit", "name": "MIT License", "spdx_id": "MIT", "url": "https://api.github.com/licenses/mit", "html_url": "http://choosealicense.com/licenses/mit/" }, "organization": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "Organization", "site_admin": false }, "parent": { "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0 }, "source": { "id": 1296269, "owner": { "login": "octocat", "id": 1, "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "name": "Hello-World", "full_name": "octocat/Hello-World", "description": "This your first repo!", "private": false, "fork": false, "url": "https://api.github.com/repos/octocat/Hello-World", "html_url": "https://github.com/octocat/Hello-World", "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}", "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}", "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}", "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}", "clone_url": "https://github.com/octocat/Hello-World.git", "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}", "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}", "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}", "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}", "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}", "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors", "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments", "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads", "events_url": "http://api.github.com/repos/octocat/Hello-World/events", "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks", "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}", "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}", "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}", "git_url": "git:github.com/octocat/Hello-World.git", "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks", "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}", "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}", "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}", "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}", "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}", "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages", "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges", "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}", "mirror_url": "git:git.example.com/octocat/Hello-World", "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}", "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}", "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}", "ssh_url": "git@github.com:octocat/Hello-World.git", "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers", "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}", "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers", "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription", "svn_url": "https://svn.github.com/octocat/Hello-World", "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags", "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams", "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}", "homepage": "https://github.com", "language": null, "forks_count": 9, "stargazers_count": 80, "watchers_count": 80, "size": 108, "default_branch": "master", "open_issues_count": 0, "topics": [ "octocat", "atom", "electron", "API" ], "has_issues": true, "has_wiki": true, "has_pages": false, "has_downloads": true, "archived": false, "pushed_at": "2011-01-26T19:06:43Z", "created_at": "2011-01-26T19:01:12Z", "updated_at": "2011-01-26T19:14:43Z", "permissions": { "admin": false, "push": false, "pull": true }, "allow_rebase_merge": true, "allow_squash_merge": true, "allow_merge_commit": true, "subscribers_count": 42, "network_count": 0 } } About 2097 lines GET /users/secfigo/repos
  • 21. { REST API } GET /users/secfigo/repos [ { "id": 112903642, "name": "ansible-role-gauntlt", "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}”, "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", ... ]
  • 22. { REST API } GET /users/secfigo/repos [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }]
  • 23. { REST API } [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }] GET /users/secfigo/repos
  • 24. { REST API } [ { "id": 112903642, "full_name": "secfigo/ansible-role-gauntlt", "owner": { “login": "secfigo", ... }, "private": false, "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt", ... "branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/ branch}", "clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git", ... "commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}", …}, { … }] GET /users/secfigo/repos
  • 25. ≈ç Get a list of repositories. DEMO
  • 26. Lets get list of branches
  • 27. { REST API } GET /users/secfigo/repos Response: List of Repos { REST API } GET repos/se../an…/git/refs
  • 28. { REST API } GET /users/secfigo/repos Response: List of Repos { REST API } GET repos/sec../an…/git/refs [ …, { "ref": "refs/heads/prod", "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/refs/h "object": { "url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/comm 083a7ad90adb44003926fb93cc879cf099f5b693" } }, …]
  • 29. query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/", first:30){ edges{ node{ name } } } } } } } }
  • 30. ≈ç Get a list of branches with/without graphQLDEMO
  • 32. https://api.site.com/v1 { REST API } v1 v2 https://api.site.com/v2
  • 33. https://api.site.com/v1 { REST API } type Query { hero: Character } type Character { name: String friends: [Character] } type Query { hero: Character } type Character { name: String friends: [Character] planet: String } v1 v2 https://api.site.com/v2
  • 35. { REST API } query { __type(name: "Repository") { name kind description fields { name } } } Read API Documentation
  • 37. { REST API } query { user(login:"secfigo") { name } } Fetch Everything
  • 38. Authentication Denial of Service (Resource Exhaustion) Authorization Error Handling Security Issues
  • 40.
  • 43. graphQL doesn’t have middleware Resolver(s)
  • 44. graphQL - No Middleware Resolver(s)
  • 46. query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/"){ edges{ node{ name edges{ node{ … edges{ node{ … } … } NESTED QUERIES
  • 50. query { user(login:"secfigo") { repositories(first:30) { edges { node { nameWithOwner refs(refPrefix: "refs/", first:30){ edges{ <— Error here node{ name edges{ node{ … edges{ node{ <— Error here … } } } … } NESTED QUERIES
  • 52. The microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API. µ Microservices µ µ
  • 57. Look mom, new kind! No tools for you
  • 58. New tech, SAST on backend is not mature. Use existing tools and code review
  • 59. DAST can be automated using existing Developer tooling like tests, run via selenium and pump it through proxy Or Use curl to create custom queries.
  • 60. OAST is still possible. OAST- Made up term for Open source Application Component Security Testing.
  • 62. DevSecOps Maturity Model (SDOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  • 65. A virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
  • 66. Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
  • 67. Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
  • 68. Join the conversation #DevSecCon Thank you @secfigo