SREday 2023

14 - 15 Sep London, UK
Site Reliability Engineering Conference

Navigating GraphQL Vulnerabilities: Proactive Discoveries and Resilience Building for SRE/DevSecOps

Antoine Carossio & Tristan Kalos

Dive into the chaotic world of GraphQL vulnerabilities with Escape's co-founders. Their exhaustive research unveiled a daunting 46,000+ security issues across more than 1500 GraphQL endpoints. Walk away armed with a resilience strategy to fortify your production GraphQL applications.

Join Tristan Kalos and Antoine Carossio, co-founders of Escape, the preeminent GraphQL Security Testing startup, as they delve into the tumultuous seas of GraphQL vulnerabilities. Derived from extensive research on production GraphQL endpoints, this illuminating talk unearths the complex dynamics of GraphQL's security landscape. Tristan and Antoine draw on their combined expertise—Tristan's mastery in development and machine learning and Antoine's valuable offensive security experience—to offer deep insights and proactive strategies. Dedicated to the relentless pursuit of resilient systems, the team logged over 500 hours of computation, performing chaos engineering on 1500+ GraphQL endpoints. The findings were startling, exposing over 46,000 security issues and sensitive data leaks publicly accessible without authentication, of which 10% were critical. This talk promises a deep dive into the most prevalent GraphQL vulnerabilities, along with their unique testing methodology adapted to the complexity of GraphQL. They'll dissect GraphQL-specific vulnerabilities like complexity issues and schema leaks, while spotlighting traditional API security issues, including injections, internal server errors, and stack trace disclosures. The conversation will also encompass the often underappreciated risk of data leaks—personal information, secrets, and tokens—illustrating the real-world impact of these vulnerabilities through case studies. But amidst the turbulence, there's a safe harbor. Tristan and Antoine will equip you with practical resilience strategies, showcasing tools such as GraphQL Armor, and a comprehensive security checklist. The session underscores GraphQL's remarkable capabilities while cautioning about associated security risks that are often overlooked in SRE/DevSecOps practices. The grand takeaway is a newfound comprehension of GraphQL's security landscape, paving a clear path to robust and reliable GraphQL applications. Immerse in the insights of this essential session and sail confidently into the future, leveraging GraphQL's power while ensuring the stability and security of your applications. Be part of this critical conversation at SRE Day 2023.

Antoine is cofounder & CTO of Escape.Antoine is a former French National Secret Agency and Apple security engineer and penetration tester. He is one of the maintainers of Clairvoyance:

Sponsors & Partners

Want to become a sponsor? Get in touch!