In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong. This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline. We will cover the following as part of this presentation: GraphQL use cases and how unicorns use them Benefits and security challenges with GraphQL Authentication and Authorisation Resource exhaustion Backend complexities with microservices Need for tweaking conventional DevSecOps tools for security assurance Security solutions which works with GraphQL

1. Join the conversation #DevSecCon
BY MOHAMMED A. IMRAN
In graph we trust: Microservices,
GraphQL and security challenges

3. Hi, I’m Imran
secfigo^

4. I work at

5. I work at
Ahem!

7. Lets talk about
Gold Rush

8. Lets talk about
Modern
Gold Rush

9. I mean

10. The Next Big Thing

11. The Next Big Thing
{ REST API }

12. GraphQL History
Gold Rush201620152012 2017
Github previewed its
GraphQL API v4
GITHUB
Facebook started working
on it.
START
Github, pinterest, Spotify,
twitter and many more
Members
Facebook open sourced
GraphQL
PUBLIC RELEASE

13. GraphQL
GraphQL is a query language for APIs and a runtime for
fulfilling those queries with your existing data.
GraphQL provides a complete and understandable description of
the data in your API, gives clients the power to ask for exactly what
they need and nothing more, makes it easier to evolve APIs over
time, and enables powerful developer tools.
source: graphql.org

14. Multiple resources in one request (speed)
Versioning hell
Schema Introspection
Simple and Efficient to use
Benefits & Use Cases

15. Multiple resources in one request 1

16. ō
Let’s Create a Github
Secret Scanner
Example

17. List of Repositories1
List of branches in repo2
Scan the code in branch3
1
2
3
4
Analyse for secrets4

18. Lets get list of Repositories
Using v3 GitHub API - https://developer.github.com/v3/repos/#list-user-repositories

19. { REST API }
GET /users/secfigo/repos

20. { REST API }{
"id": 1296269,
"owner": {
"login": "octocat",
"id": 1,
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"name": "Hello-World",
"full_name": "octocat/Hello-World",
"description": "This your first repo!",
"private": false,
"fork": false,
"url": "https://api.github.com/repos/octocat/Hello-World",
"html_url": "https://github.com/octocat/Hello-World",
"archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
"assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
"blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
"branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
"clone_url": "https://github.com/octocat/Hello-World.git",
"collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
"comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
"commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
"compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
"contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
"contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
"deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
"downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
"events_url": "http://api.github.com/repos/octocat/Hello-World/events",
"forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
"git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
"git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
"git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
"git_url": "git:github.com/octocat/Hello-World.git",
"hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
"issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
"issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
"issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
"keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
"labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
"languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
"merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
"milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
"mirror_url": "git:git.example.com/octocat/Hello-World",
"notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
"pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
"releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
"ssh_url": "git@github.com:octocat/Hello-World.git",
"stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
"statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
"subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
"subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
"svn_url": "https://svn.github.com/octocat/Hello-World",
"tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
"teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
"trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
"homepage": "https://github.com",
"language": null,
"forks_count": 9,
"stargazers_count": 80,
"watchers_count": 80,
"size": 108,
"default_branch": "master",
"open_issues_count": 0,
"topics": [
"octocat",
"atom",
"electron",
"API"
],
"has_issues": true,
"has_wiki": true,
"has_pages": false,
"has_downloads": true,
"archived": false,
"pushed_at": "2011-01-26T19:06:43Z",
"created_at": "2011-01-26T19:01:12Z",
"updated_at": "2011-01-26T19:14:43Z",
"permissions": {
"admin": false,
"push": false,
"pull": true
},
"allow_rebase_merge": true,
"allow_squash_merge": true,
"allow_merge_commit": true,
"subscribers_count": 42,
"network_count": 0,
"license": {
"key": "mit",
"name": "MIT License",
"spdx_id": "MIT",
"url": "https://api.github.com/licenses/mit",
"html_url": "http://choosealicense.com/licenses/mit/"
},
"organization": {
"login": "octocat",
"id": 1,
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "Organization",
"site_admin": false
},
"parent": {
"id": 1296269,
"owner": {
"login": "octocat",
"id": 1,
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"name": "Hello-World",
"full_name": "octocat/Hello-World",
"description": "This your first repo!",
"private": false,
"fork": false,
"url": "https://api.github.com/repos/octocat/Hello-World",
"html_url": "https://github.com/octocat/Hello-World",
"archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
"assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
"blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
"branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
"clone_url": "https://github.com/octocat/Hello-World.git",
"collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
"comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
"commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
"compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
"contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
"contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
"deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
"downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
"events_url": "http://api.github.com/repos/octocat/Hello-World/events",
"forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
"git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
"git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
"git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
"git_url": "git:github.com/octocat/Hello-World.git",
"hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
"issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
"issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
"issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
"keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
"labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
"languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
"merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
"milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
"mirror_url": "git:git.example.com/octocat/Hello-World",
"notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
"pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
"releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
"ssh_url": "git@github.com:octocat/Hello-World.git",
"stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
"statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
"subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
"subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
"svn_url": "https://svn.github.com/octocat/Hello-World",
"tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
"teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
"trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
"homepage": "https://github.com",
"language": null,
"forks_count": 9,
"stargazers_count": 80,
"watchers_count": 80,
"size": 108,
"default_branch": "master",
"open_issues_count": 0,
"topics": [
"octocat",
"atom",
"electron",
"API"
],
"has_issues": true,
"has_wiki": true,
"has_pages": false,
"has_downloads": true,
"archived": false,
"pushed_at": "2011-01-26T19:06:43Z",
"created_at": "2011-01-26T19:01:12Z",
"updated_at": "2011-01-26T19:14:43Z",
"permissions": {
"admin": false,
"push": false,
"pull": true
},
"allow_rebase_merge": true,
"allow_squash_merge": true,
"allow_merge_commit": true,
"subscribers_count": 42,
"network_count": 0
},
"source": {
"id": 1296269,
"owner": {
"login": "octocat",
"id": 1,
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"name": "Hello-World",
"full_name": "octocat/Hello-World",
"description": "This your first repo!",
"private": false,
"fork": false,
"url": "https://api.github.com/repos/octocat/Hello-World",
"html_url": "https://github.com/octocat/Hello-World",
"archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
"assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
"blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
"branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
"clone_url": "https://github.com/octocat/Hello-World.git",
"collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
"comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
"commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
"compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
"contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
"contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
"deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
"downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
"events_url": "http://api.github.com/repos/octocat/Hello-World/events",
"forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
"git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
"git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
"git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
"git_url": "git:github.com/octocat/Hello-World.git",
"hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
"issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
"issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
"issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
"keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
"labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
"languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
"merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
"milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
"mirror_url": "git:git.example.com/octocat/Hello-World",
"notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
"pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
"releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
"ssh_url": "git@github.com:octocat/Hello-World.git",
"stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
"statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
"subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
"subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
"svn_url": "https://svn.github.com/octocat/Hello-World",
"tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
"teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
"trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
"homepage": "https://github.com",
"language": null,
"forks_count": 9,
"stargazers_count": 80,
"watchers_count": 80,
"size": 108,
"default_branch": "master",
"open_issues_count": 0,
"topics": [
"octocat",
"atom",
"electron",
"API"
],
"has_issues": true,
"has_wiki": true,
"has_pages": false,
"has_downloads": true,
"archived": false,
"pushed_at": "2011-01-26T19:06:43Z",
"created_at": "2011-01-26T19:01:12Z",
"updated_at": "2011-01-26T19:14:43Z",
"permissions": {
"admin": false,
"push": false,
"pull": true
},
"allow_rebase_merge": true,
"allow_squash_merge": true,
"allow_merge_commit": true,
"subscribers_count": 42,
"network_count": 0
}
}
About 2097 lines
GET /users/secfigo/repos

21. { REST API }
GET /users/secfigo/repos
[
{
"id": 112903642,
"name": "ansible-role-gauntlt",
"full_name": "secfigo/ansible-role-gauntlt",
"owner": {
“login": "secfigo",
...
},
"private": false,
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt",
...
"branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}”,
"clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git",
...
"commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}",
...
]

22. { REST API }
GET /users/secfigo/repos
[
{
"id": 112903642,
"full_name": "secfigo/ansible-role-gauntlt",
"owner": {
“login": "secfigo",
...
},
"private": false,
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt",
...
"branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}",
"clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git",
...
"commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}",
…}, { …
}]

23. { REST API }
[
{
"id": 112903642,
"full_name": "secfigo/ansible-role-gauntlt",
"owner": {
“login": "secfigo",
...
},
"private": false,
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt",
...
"branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/branch}",
"clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git",
...
"commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}",
…}, { …
}]
GET /users/secfigo/repos

24. { REST API }
[
{
"id": 112903642,
"full_name": "secfigo/ansible-role-gauntlt",
"owner": {
“login": "secfigo",
...
},
"private": false,
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt",
...
"branches_url": “http://api.github.com/repos/secfigo/ansible-role-gauntlt/branches{/
branch}",
"clone_url": "https://github.com/secfigo/ansible-role-gauntlt.git",
...
"commits_url": "http://api.github.com/repos/secfigo/ansible-role-gauntlt/commits{/sha}",
…}, { …
}]
GET /users/secfigo/repos

25. ō
Get a list of
repositories.
DEMO

26. Lets get list of branches

27. { REST API }
GET /users/secfigo/repos
Response: List of Repos
{ REST API }
GET repos/se../an…/git/refs

28. { REST API }
GET /users/secfigo/repos
Response: List of Repos
{ REST API }
GET repos/sec../an…/git/refs
[
…, {
"ref": "refs/heads/prod",
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/refs/h
"object": {
"url": "https://api.github.com/repos/secfigo/ansible-role-gauntlt/git/comm
083a7ad90adb44003926fb93cc879cf099f5b693"
}
}, …]

29. query {
user(login:"secfigo") {
repositories(first:30) {
edges {
node {
nameWithOwner
refs(refPrefix: "refs/", first:30){
edges{
node{
name
}
}
}
}
}
}
}
}

30. ō
Get a list of branches
with/without graphQLDEMO

31. Different Versions of API 2

32. https://api.site.com/v1
{ REST API }
v1 v2
https://api.site.com/v2

33. https://api.site.com/v1
{ REST API }
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
}
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
planet: String
}
v1 v2
https://api.site.com/v2

34. Schema Introspection 3

35. { REST API }
query {
__type(name: "Repository") {
name
kind
description
fields {
name
}
}
}
Read API Documentation

36. Simple and Efficient 4

37. { REST API }
query {
user(login:"secfigo") {
name
}
}
Fetch Everything

38. Authentication
Denial of Service
(Resource Exhaustion)
Authorization
Error Handling
Security Issues

39. Authentication 1

41. Authentication

42. Typical HTTP/REST Auth’n

43. graphQL doesn’t have middleware
Resolver(s)

44. graphQL - No Middleware
Resolver(s)

45. Resource Exhaustion 2

46. query {
user(login:"secfigo") {
repositories(first:30) {
edges {
node {
nameWithOwner
refs(refPrefix: "refs/"){
edges{
node{
name
edges{
node{
…
edges{
node{
…
}
…
}
NESTED
QUERIES

47. Authorization 2

48. Authorization
IsAuthorized?Base Resolver
isAuthn Resolver
isAuthz Resolver

49. Error Handling 4

50. query {
user(login:"secfigo") {
repositories(first:30) {
edges {
node {
nameWithOwner
refs(refPrefix: "refs/", first:30){
edges{ <— Error here
node{
name
edges{
node{
…
edges{
node{ <— Error here
…
}
}
}
…
}
NESTED
QUERIES

51. µ
Microservices
µ
µ+

52. The microservice architectural style is an
approach to developing a single application
as a suite of small services, each running in
its own process and communicating with
lightweight mechanisms, often an HTTP
resource API.
µ
Microservices
µ
µ

53. Data
Access
Layer
UI
Business
Logic
UI
µ µ µ
µ µ
Monolith Microservices

54. µ
Source: https://martinfowler.com/articles/microservices.html

55. Source: https://medium.com/netflix-techblog/vizceral-open-source-acc0c32113fe

56. DevSecOps Challenges

57. Look mom, new kind! No tools for you

58. New tech, SAST on backend is not mature.
Use existing tools and code review

59. DAST can be automated using existing
Developer tooling like tests, run
via selenium and pump it through proxy
Or
Use curl to create custom queries.

60. OAST is still possible.
OAST- Made up term for Open source Application
Component Security Testing.

61. source: https://github.com/graphql/graphiql

62. DevSecOps Maturity Model (SDOMM)
Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits

63. Security Champions

64. Shifting Left, literally
OpsOps

65. A virtual environment to learn and
teach DevSecOps concepts.
Its easy to get started and is mostly
automatic.
DevSecOps
Studio
https://github.com/teacheraio/DevSecOps-Studio/

66. Easy to setup
Takes only few mins to setup and
start using with just one command
A
Reproducible
The aim of this project is to
setup reproducible
DevSecOps Lab environment
for learning and testing
different tools.
B
Free & Open
Source Software
This project is a free
and open software to
help more people learn
about DevSecOps
C
DevSecOps
Studio Benefits

67. Conway’s Law
Any organization that designs a system
(defined broadly) will produce a design
whose structure is a copy of the
organization's communication structure.
“

68. Join the conversation #DevSecCon
Thank you
@secfigo