PostHole
Compose
Login
SE Radio 613: Shahar Binyamin on GraphQL Security
Shahar Binyamin, CEO and co-founder of Inigo, joins host Priyanka Raghavan to discuss GraphQL security. They begin with a look at the state of adoption of GraphQL and why it's so popular. From there, they consider why GraphQL security is important as they take a deep dive into a range of known security issues that have been exploited in GraphQL, including authentication, authorization, and denial of service attacks with references from the OWASP Top 10 API Security Risks. They discuss some mitigation strategies and methodologies for solving GraphQL security problems, and the show ends with discussion of Inigo and Shahar's top three recommendations for building safe GraphQL applications. Brought to you by IEEE Software and IEEE Computer Society.
Shahar Binyamin, CEO and co-founder of Inigo, joins host Priyanka Raghavan to discuss GraphQL security. They begin with a look at the state of adoption of GraphQL and why it’s so popular. From there, they consider why GraphQL security is important as they take a deep dive into a range of known security issues that have been exploited in GraphQL, including authentication, authorization, and denial of service attacks with references from the OWASP Top 10 API Security Risks. They discuss some mitigation strategies and methodologies for solving GraphQL security problems, and the show ends with discussion of Inigo and Shahar’s top three recommendations for building safe GraphQL applications. Brought to you by IEEE Software and IEEE Computer Society.
Show Notes
Related Episodes
References
- LinkedIn: @shacharbinyamin
Transcript
Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.
Priyanka Raghavan 00:00:19 Hi everyone. I’m Priyanka Raghavan for Software Engineering Radio and today I’m chatting with Shahar Binyamin the CEO and Co-founder of Inigo to talk about GraphQL security. Shahar is a software engineer by trade. He has extensive experience working on many high-profile enterprise applications and security projects. He has written several articles and given talks at technology conferences, all of which I have added to our show notes. So welcome to the show, Shahar.
Shahar Binyamin 00:00:48 Hey, Priyanka, great to be here.
Priyanka Raghavan 00:00:50 One of the things we’ve done is we’ve done a deep dive on GraphQL, which is Episode 530. So listeners can obviously listen to that episode to understand the history and the basics of GraphQL. Having said that, since we have you on the show, and it’s been a while since we did that, I have to ask you if you can just briefly define for us what is GraphQL. I know it’s tough, but maybe a little bit, one or two lines. And then can you also tell us why the state of GraphQL adoption is so great, or whether you think it’s otherwise, but I personally think there’s a big adoption in the GraphQL space, and what is the state of GraphQL adoption?
Shahar Binyamin 00:01:26 Yeah, absolutely. Great question. So GraphQL is merely a spec. It’s an API spec that came out of Facebook, no Meta, back in 2016, and it’s a query-based API and really was there to solve some of the REST limitations of under fetching and over fetching. And it’s a great tool to really expedite frontend developers, allow them to move firmly, extract any data that they want in any type of hierarchy. And we’ve seen a lot of it when it comes out of Facebook. We’ve seen the open-source communities, specifically developers, really adopt in it. And you can actually find an implementation of GraphQL in any programming language you might think of. Now, when we think about the adoption of GraphQL, I would say that like any developer driven technology, developer brings it into the organization, they get all hyped about it. And like any new technology, like let’s put this everywhere , it doesn’t work everywhere, but it does work really well when it’s in the right place, like client server or we have an open API. So it had a rough patch at the beginning with rejections and like lots of excitement, a lot of rejection, and now it’s really finding its place and actually becoming mainstream in many enterprises.
Priyanka Raghavan 00:02:40 And this kind of following up on that question, you had an article on DevZone, which was titled, You Love GraphQL Now How to Make Sure your Organization Does Too. So why do you think GraphQL is popular among developers and what could they do to bring it into their organizations? Maybe you have like a case study where you have worked with a company where the developers liked it and then they had a success story of bringing the organization in.
Shahar Binyamin 00:03:04 Usually there’s always one champion and maybe this person worked with GraphQL in their previous company. And that’s the story we see a lot. And then people move around and they say, hey, we know about this new technology and there’s always a new feature, there’s always a new product. Some legacy companies say, okay, it’s time to refresh our stack, and then GraphQL is becoming a discussion. Can we do this? And frontend developers want to hear about this and say, yes, this is what we want. So now you have the backend champion and the frontend team pushing for the same thing. And usually it’ll start with the side product with some exploration. But now if you want, you as the champion to push this down the org., then you need more supporters. And when it even gets to a point that you would like to productize it, what we’re seeing in a lot of technology companies, this new concept of platform teams or API teams, some call them architect teams or core team, the names really is vast.
Shahar Binyamin 00:04:03 And now you basically need to ask them to own this other type of API as part of the API responsibility. And you need to have a good reason, a good mandate, and a really good set of building blocks to allow an organization to adopt a new technology. If we think about the equivalent to Kubernetes, when developers brought it in and then they said to the DevOps, hey, now you need to operate this. And maybe two minutes later the security team will come and say, hey, now how do we secure it? We can see a similar story with GraphQL with the platform teams, those API teams, they say, hey, what is this? You’re asking us to do this, but how do we do this? And I’m sure we’ll break it down.
Priyanka Raghavan 00:04:44 And that’s very interesting. To summarize, I think what you’re saying, this is probably true for any new technology, right? They go through a review board and then pass it on to a central team, which then allows the whole sort of spread of that new technology across the organization and then the security teams come in. I think that probably then goes on to my next question on why is GraphQL security important?
[...]