Register for our Dec 19th Webinar: Beyond the Perimeter: Achieving Comprehensive API Security

Blog Post

Product

Salt Continues to Lead API Security With Innovation to Protect GraphQL APIs

Chris Westphal
Oct 20, 2021

At Salt, we have a long track record of driving innovation — today we’re continuing that tradition with the news that the Salt platform now secures GraphQL APIs.  Innovation has been in our DNA from the very start — realizing existing tools could never do enough to secure APIs, we took a fresh approach. We pioneered a new architecture based on big data, AI, and ML, and we locked in a broad patent for API security. Our vision since then has been to accelerate business innovation by making all APIs attack proof.

Before getting into the details of what Salt does to protect GraphQL APIs, we’ll set the stage with some background on GraphQL to provide the foundation for why this query language creates unique challenges for security.

GraphQL efficiencies

GraphQL is one of the up-and-coming technologies in the world of APIs. Brought to life at Facebook in 2012, GraphQL provided a way to overcome some of the limitations of REST and meet the demands for the highly interactive Facebook mobile app. Three years later, in 2015, GraphQL was released to the world, and in 2018 the GraphQL Foundation was established to shepherd the project and advance the specification.

Unlike REST which is an architectural style for APIs based on a set of design principles, GraphQL is a query language built on a standard specification that provides a complete and understandable description of the data in a GraphQL instance.

Developers use GraphQL for the same reasons Facebook was motivated to create it. Efficiency. One of the primary efficiencies developers take advantage of with GraphQL is the ability to query the exact data their apps need to overcome the challenges of REST overfectching or underfetching data. 

With REST, developers have to build client-side functionality to either filter out over fetched data or request more data in the case of underfetching. Both scenarios increase development time with the need to build functionality and compensate for the shortcomings of REST.

Apps are impacted by REST’s shortcomings too. Adding functionality to filter or request more data results in more code and a bigger app footprint while impacting app performance and consuming more infrastructure resources. 

With GraphQL, developers innovate faster and build more efficient, responsive, lightweight apps.

Realities of GraphQL adoption

GraphQL efficiency is a big draw, but that doesn’t mean GraphQL is a good fit for every developer, every app, and every use case. GraphQL is indeed seeing rapid adoption, but as seen in The State of API Report 2020 from SmartBear, GraphQL adoption is still well behind REST. 

In reality, GraphQL is not a wholesale replacement for REST, and the two will likely be found together in most environments for years to come. The top three reasons are:

  • GraphQL and REST each have their place — GraphQL is best for front-end use cases, especially those that require a highly responsive user experience, a common requirement for mobile and single-page apps (SPAs). GraphQL is not optimized for back-end use cases, so it's common to find GraphQL on the front-end with REST on the back-end. Also, many current apps use REST, and the effort to retool and retrain developers outweighs the benefits GraphQL offers.
  • A steep learning curve — GraphQL has a standard specification that defines the consistency and predictability needed to enable its efficiency. Developers must take the time to learn the GraphQL way, which includes learning a new vocabulary of terms and new syntax for schema definitions and queries. GraphQL also requires proper coordination between developers, implementers, and back-end service owners to ensure each GraphQL instance is implemented and used correctly. For organizations already using REST, getting developers trained and teams coordinated can be a lower priority behind pushing out apps using technologies already in place.
  • New tooling and management needs — GraphQL is about a decade behind REST and lacks the healthy development community and mature tool ecosystem needed to build, deliver, and support APIs throughout the entire lifecycle. Tools currently used for REST provide partial capabilities at best but lack the native functionality required for scale. Teams using GraphQlL are left to compensate for the shortcomings of their current tools with manual efforts as tools with native support emerge.

Get a demo to see how Salt can protect your APIs.

GraphQL security misconceptions

A common misconception is that GraphQL APIs are more secure when compared to REST. The reality is that GraphQL is susceptible to many of the same vulnerabilities as REST and comes with its own list of unique pitfalls. Developers like GraphQL for its efficiencies, but these efficiencies can also create unique opportunities for attackers. Some of the common security pitfalls of GraphQL include:

  • Introspection — If not turned off or restricted in production, attackers get visibility into the schema, supported queries, and the entire layout of databases. If documentation is available, attackers also have access to detailed descriptions of every query supported, including the hidden ones.
  • Verbose errors — Like introspection, errors must be properly configured and restricted in production to keep attackers from using details returned in error messages to understand the schema and build valid queries.
  • Access controls — Each layer of the graph requires a distinct set of access controls, creating complexity and potential for errors. If access controls are missing or not properly implemented, attackers can exploit these gaps and target many of the threats defined in the OWASP API Security Top 10.
  •  Injection — GraphQL is simply a layer between the client and databases. Without proper controls, attackers can still target REST proxies and other infrastructure with SQLi, NoSQL injection, OS Command, SSRF, and CRLF attacks.
  • Rate limiting — Batched queries are efficient for developers but are a risk without properly configured limits. An attacker can batch multiple queries with 2FA tokens in a single request to target authentication mechanisms while bypassing all traditional rate-limiting controls.
  • Denial of Service — Nested queries are another efficiency for developers that require properly configured limits. An attacker can bypass traditional security controls and cause a denial-of-service (DoS) with a single request containing an excessive number of nested queries.

Another misconception is that current API security tools and controls can secure GraphQL APIs. In reality, without native support to understand the complexities of GraphQL, traditional security controls provide limited protection at best and leave teams with a false sense of security.

GraphQL has a unique structure and capabilities, and this results in unique challenges when it comes to security. Awareness of the unique pitfalls and vulnerabilities is needed to help teams properly secure GraphQL deployments, and education is needed to help developers apply best practices when building GraphQL APIs. 

DevOps teams can’t do it alone. They need to move fast and release new code, and vulnerabilities will slip through to production, with many only found at runtime. Tools with native GraphQL support are needed to complement DevOps security efforts, protect APIs at runtime, create a feedback loop for continuous hardening, and support rapid innovation.

Protecting GraphQL APIs with Salt

With native support for GraphQL, we understand the unique capabilities, pitfalls, and challenges required for security. Our patented platform with big data, AI and ML understands the complex structure of each GraphQL query to gain the context required to secure GraphQL APIs. 

All the capabilities that you expect from Salt to protect your REST APIs are now extended to GraphQL giving you a single platform to protect all of your APIs. With Salt you can now:

  • Discover all GraphQL APIs automatically and continuously including shadow (unknown) and zombie (outdated) APIs to maintain a single view of your entire API landscape and eliminate blind spots.
  • Uncover GraphQL APIs expose sensitive data such as PII and understand when exposure changes to maintain a complete view of risk and meet compliance requirements.
  • Prevent attacks targeting GraphQL APIs by leveraging Salt big data, AI, and ML to establish a baseline for each GraphQL API and gain the context needed to pinpoint and stop attackers early in their reconnaissance.
  • Eliminate GraphQL vulnerabilities with insights from across the API lifecycle to help teams continuously improve security and ship more secure APIs.

At Salt we never stop taking on new challenges and never stop innovating, laser focused on our mission to make all APIs attack proof. To learn more about Salt and how we can stop attacks targeting GraphQL and secure all your APIs, reach out to schedule a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

December 13, 2024

Michael Callahan
Chief Marketing Officer

Industry

API Security is Not a Problem You Can Solve at the Edge

Edge security is a crucial component of an organization’s defense, but it’s just one piece of the puzzle. Learn why API security requires a broader view.

Read more

November 27, 2024

Eric Schwake
Head of Product Marketing

Industry

Beyond Traditional Security: Addressing the API Security Gap

To safeguard your business from API-specific threats, you need a dedicated solution that offers comprehensive visibility, in-depth contextual analysis, automated governance, robust data protection, and AI-driven threat prevention.

Read more

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back