At Salt, we have a long track record of driving innovation – today we’re continuing that tradition with the news that the Salt platform now secures GraphQL APIs. Innovation has been in our DNA from the very start – realizing existing tools could never do enough to secure APIs, we took a fresh approach. We pioneered a new architecture based on big data, AI, and ML, and we locked in a broad patent for API security. Our vision since then has been to accelerate business innovation by making all APIs attack proof.
Before getting into the details of what Salt does to protect GraphQL APIs, we’ll set the stage with some background on GraphQL to provide the foundation for why this query language creates unique challenges for security.
GraphQL is one of the up-and-coming technologies in the world of APIs. Brought to life at Facebook in 2012, GraphQL provided a way to overcome some of the limitations of REST and meet the demands for the highly interactive Facebook mobile app. Three years later, in 2015, GraphQL was released to the world, and in 2018 the GraphQL Foundation was established to shepherd the project and advance the specification.
Unlike REST which is an architectural style for APIs based on a set of design principles, GraphQL is a query language built on a standard specification that provides a complete and understandable description of the data in a GraphQL instance.
Developers use GraphQL for the same reasons Facebook was motivated to create it. Efficiency. One of the primary efficiencies developers take advantage of with GraphQL is the ability to query the exact data their apps need to overcome the challenges of REST overfectching or underfetching data.
With REST, developers have to build client-side functionality to either filter out over fetched data or request more data in the case of underfetching. Both scenarios increase development time with the need to build functionality and compensate for the shortcomings of REST.
Apps are impacted by REST’s shortcomings too. Adding functionality to filter or request more data results in more code and a bigger app footprint while impacting app performance and consuming more infrastructure resources.
With GraphQL, developers innovate faster and build more efficient, responsive, lightweight apps.
GraphQL efficiency is a big draw, but that doesn’t mean GraphQL is a good fit for every developer, every app, and every use case. GraphQL is indeed seeing rapid adoption, but as seen in The State of API Report 2020 from SmartBear, GraphQL adoption is still well behind REST.
In reality, GraphQL is not a wholesale replacement for REST, and the two will likely be found together in most environments for years to come. The top three reasons are:
A common misconception is that GraphQL APIs are more secure when compared to REST. The reality is that GraphQL is susceptible to many of the same vulnerabilities as REST and comes with its own list of unique pitfalls. Developers like GraphQL for its efficiencies, but these efficiencies can also create unique opportunities for attackers. Some of the common security pitfalls of GraphQL include:
Another misconception is that current API security tools and controls can secure GraphQL APIs. In reality, without native support to understand the complexities of GraphQL, traditional security controls provide limited protection at best and leave teams with a false sense of security.
GraphQL has a unique structure and capabilities, and this results in unique challenges when it comes to security. Awareness of the unique pitfalls and vulnerabilities is needed to help teams properly secure GraphQL deployments, and education is needed to help developers apply best practices when building GraphQL APIs.
DevOps teams can’t do it alone. They need to move fast and release new code, and vulnerabilities will slip through to production, with many only found at runtime. Tools with native GraphQL support are needed to complement DevOps security efforts, protect APIs at runtime, create a feedback loop for continuous hardening, and support rapid innovation.
With native support for GraphQL, we understand the unique capabilities, pitfalls, and challenges required for security. Our patented platform with big data, AI and ML understands the complex structure of each GraphQL query to gain the context required to secure GraphQL APIs.
All the capabilities that you expect from Salt to protect your REST APIs are now extended to GraphQL giving you a single platform to protect all of your APIs. With Salt you can now:
At Salt we never stop taking on new challenges and never stop innovating, laser focused on our mission to make all APIs attack proof. To learn more about Salt and how we can stop attacks targeting GraphQL and secure all your APIs, reach out to schedule a personalized demo.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.