In graph we trust: Microservices, GraphQL and security challenges

Join the conversation #DevSecCon
BY MOHAMMED A. IMRAN
In graph we trust: Microservices,
GraphQL and security challenges

Lets talk about
Modern
Gold Rush

The Next Big Thing
{ REST API }

GraphQL History
Gold Rush201620152012 2017
Github previewed its
GraphQL API v4
GITHUB
Facebook started working
on it.
START
Github, pinterest, Spotify,
twitter and many more
Members
Facebook open sourced
GraphQL
PUBLIC RELEASE

GraphQL
GraphQL is a query language for APIs and a runtime for
fulﬁlling those queries with your existing data.
GraphQL provides a complete and understandable description of
the data in your API, gives clients the power to ask for exactly what
they need and nothing more, makes it easier to evolve APIs over
time, and enables powerful developer tools.
source: graphql.org

Multiple resources in one request (speed)
Versioning hell
Schema Introspection
Simple and Eﬃcient to use
Beneﬁts & Use Cases

Multiple resources in one request 1

≈ç
Let’s Create a Github
Secret Scanner
Example

List of Repositories1
List of branches in repo2
Scan the code in branch3
1
2
3
4
Analyse for secrets4

Lets get list of Repositories
Using v3 GitHub API - https://developer.github.com/v3/repos/#list-user-repositories

{ REST API }
GET /users/secfigo/repos

{ REST API }{
"id": 1296269,
"owner": {
"login": "octocat",
"id": 1,
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"name": "Hello-World",
"full_name": "octocat/Hello-World",
"description": "This your first repo!",
"private": false,
"fork": false,
"url": "https://api.github.com/repos/octocat/Hello-World",
"html_url": "https://github.com/octocat/Hello-World",
"archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
"assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
"blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
"branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
"clone_url": "https://github.com/octocat/Hello-World.git",
"collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
"comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
"commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
"compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
"contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
"contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
"deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
"downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
"events_url": "http://api.github.com/repos/octocat/Hello-World/events",
"forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
"git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
"git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
"git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
"git_url": "git:github.com/octocat/Hello-World.git",
"hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
"issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
"issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
"issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
"keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
"labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
"languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
"merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
"milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
"mirror_url": "git:git.example.com/octocat/Hello-World",
"notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
"pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
"releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
"ssh_url": "git@github.com:octocat/Hello-World.git",
"stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
"statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
"subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
"subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
"svn_url": "https://svn.github.com/octocat/Hello-World",
"tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
"teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
"trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
"homepage": "https://github.com",
"language": null,
"forks_count": 9,
"stargazers_count": 80,
"watchers_count": 80,
"size": 108,
"default_branch": "master",
"open_issues_count": 0,
"topics": [
"octocat",
"atom",
"electron",
"API"
],
"has_issues": true,
"has_wiki": true,
"has_pages": false,
"has_downloads": true,
"archived": false,
"pushed_at": "2011-01-26T19:06:43Z",
"created_at": "2011-01-26T19:01:12Z",
"updated_at": "2011-01-26T19:14:43Z",
"permissions": {
"admin": false,
"push": false,
"pull": true
},
"allow_rebase_merge": true,
"allow_squash_merge": true,
"allow_merge_commit": true,
"subscribers_count": 42,
"network_count": 0,
"license": {
"key": "mit",
"name": "MIT License",
"spdx_id": "MIT",
"url": "https://api.github.com/licenses/mit",
"html_url": "http://choosealicense.com/licenses/mit/"
},
"organization": {
"login": "octocat",
"id": 1,
"gravatar_id": "",
"type": "Organization",
"site_admin": false
},
"parent": {
"id": 1296269,
"owner": {
"login": "octocat",
"id": 1,
"gravatar_id": "",
"type": "User",
"site_admin": false
},
"private": false,
"fork": false,
"language": null,
"forks_count": 9,
"size": 108,
"topics": [
"octocat",
"atom",
"electron",
"API"
],
"has_issues": true,
"has_wiki": true,
"has_pages": false,
"archived": false,
"pushed_at": "2011-01-26T19:06:43Z",
"created_at": "2011-01-26T19:01:12Z",
"updated_at": "2011-01-26T19:14:43Z",
"permissions": {
"admin": false,
"push": false,
"pull": true
},
"network_count": 0
},
"source": {
"id": 1296269,
"owner": {
"login": "octocat",
"id": 1,
"gravatar_id": "",
"type": "User",
"site_admin": false
},
"private": false,
"fork": false,
"language": null,
"forks_count": 9,
"size": 108,
"topics": [
"octocat",
"atom",
"electron",
"API"
],
"has_issues": true,
"has_wiki": true,
"has_pages": false,
"archived": false,
"pushed_at": "2011-01-26T19:06:43Z",
"created_at": "2011-01-26T19:01:12Z",
"updated_at": "2011-01-26T19:14:43Z",
"permissions": {
"admin": false,
"push": false,
"pull": true
},
"network_count": 0
}
}
About 2097 lines

{ REST API }
[
{
"id": 112903642,
"name": "ansible-role-gauntlt",
"full_name": "secfigo/ansible-role-gauntlt",
"owner": {
“login": "secfigo",
...
},
"private": false,
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt",
...
"branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}”,
"clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git",
...
"commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}",
...
]

{ REST API }
[
{
"id": 112903642,
"owner": {
...
},
"private": false,
...
"branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}",
...
…}, { …
}]

{ REST API }
[
{
"id": 112903642,
"owner": {
...
},
"private": false,
...
"branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/
branch}",
...
…}, { …
}]

≈ç
Get a list of
repositories.
DEMO

{ REST API }
Response: List of Repos
{ REST API }
GET repos/se../an…/git/refs

{ REST API }
Response: List of Repos
{ REST API }
GET repos/sec../an…/git/refs
[
…, {
"ref": "refs/heads/prod",
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/refs/h
"object": {
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/comm
083a7ad90adb44003926fb93cc879cf099f5b693"
}
}, …]

query {
user(login:"secfigo") {
repositories(first:30) {
edges {
node {
nameWithOwner
refs(refPrefix: "refs/", first:30){
edges{
node{
name
}
}
}
}
}
}
}
}

≈ç
Get a list of branches
with/without graphQLDEMO

https://api.site.com/v1
{ REST API }
v1 v2

{ REST API }
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
}
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
planet: String
}
v1 v2

{ REST API }
query {
__type(name: "Repository") {
name
kind
description
fields {
name
}
}
}
Read API Documentation

{ REST API }
query {
name
}
}
Fetch Everything

Authentication
Denial of Service
(Resource Exhaustion)
Authorization
Error Handling
Security Issues

graphQL doesn’t have middleware
Resolver(s)

graphQL - No Middleware
Resolver(s)

query {
edges {
node {
nameWithOwner
refs(refPrefix: "refs/"){
edges{
node{
name
edges{
node{
…
edges{
node{
…
}
…
}
NESTED
QUERIES

Authorization
IsAuthorized?Base Resolver
isAuthn Resolver
isAuthz Resolver

query {
edges {
node {
nameWithOwner
refs(refPrefix: "refs/", first:30){
edges{ <— Error here
node{
name
edges{
node{
…
edges{
node{ <— Error here
…
}
}
}
…
}
NESTED
QUERIES

The microservice architectural style is an
approach to developing a single application
as a suite of small services, each running in
its own process and communicating with
lightweight mechanisms, often an HTTP
resource API.
µ
Microservices
µ
µ

Data
Access
Layer
UI
Business
Logic
UI
µ µ µ
µ µ
Monolith Microservices

µ
Source: https://martinfowler.com/articles/microservices.html

Source: https://medium.com/netflix-techblog/vizceral-open-source-acc0c32113fe

Look mom, new kind! No tools for you

New tech, SAST on backend is not mature.
Use existing tools and code review

DAST can be automated using existing
Developer tooling like tests, run
via selenium and pump it through proxy
Or
Use curl to create custom queries.

OAST is still possible.
OAST- Made up term for Open source Application
Component Security Testing.

source: https://github.com/graphql/graphiql

DevSecOps Maturity Model (SDOMM)
Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits

Shifting Left, literally
OpsOps

A virtual environment to learn and
teach DevSecOps concepts.
Its easy to get started and is mostly
automatic.
DevSecOps
Studio
https://github.com/teacheraio/DevSecOps-Studio/

Easy to setup
Takes only few mins to setup and
start using with just one command
A
Reproducible
The aim of this project is to
setup reproducible
DevSecOps Lab environment
for learning and testing
diﬀerent tools.
B
Free & Open
Source Software
This project is a free
and open software to
help more people learn
about DevSecOps
C
DevSecOps
Studio Beneﬁts

Conway’s Law
Any organization that designs a system
(deﬁned broadly) will produce a design
whose structure is a copy of the
organization's communication structure.
“

Join the conversation #DevSecCon
Thank you
@secfigo

In graph we trust: Microservices, GraphQL and security challenges

Recommended

More Related Content

What's hot (20)

Similar to In graph we trust: Microservices, GraphQL and security challenges (20)

More from Mohammed A. Imran (14)

Recently uploaded (20)

In graph we trust: Microservices, GraphQL and security challenges