CG - Strategies for secure development with GraphQL

all right let's get started I hope you guys had a good lunch break sleepy this this talk is definitely going to help this is an amazing talk on strategies for secure graphql development and uh I'm excited to introduce you to Mr glass yeah welcome thank you yes this is a strategies for secure development with graphql uh it's a terrible title not on but that's what we're going to talk about uh my name is y Silberman I work at Aon Cyber Solutions um they are very very very great to pay my way here and also they're sponsoring tomorrow at the happy hour so please check that out I also am staff here besides Las Vegas um I work on the website it's an immense privilege to be able to work here as staff so that's me our goal today is to make a developer experience where security is actively nurtured and and supported I I see a lot of projects where we talk about security being important and we say oh the team you need to do security but nobody actually helps them do anything secure so a lot of what I'm talk about today is trying to help make something so that developers have the tools they need a note um most of my talk is framed around graph q but this should be applicable to like any engineering any development so don't worry if you're not a graphql developer this is really more about applying standard practices standard uh techniques for security security development to graphql um also a little note unfortun I made some really awesome hilarious memes for today but there was a snafu and I can't use them so you're just going to have to assume that there were awesome graphics on each slide okay so I decided uh to frame this around three questions I actually I spoke at besides a decade ago uh and it's it's been an experience since then and I was trying to think what I would tell to me a decade ago as a long young engineer about security and I decided there were three things that were hard for me to get answers to and I would tell tell them and that is how do I figure out what I need to secure how do I build something like sure secureity Foundation everybody says you have to start with security but always tells you how um and what should I la which is something that's it's a little very specific but it's a question that I never got an answer to ever and so I want to talk about it okay so our first question how do I figure out what need securing anybody have an idea no that's okay there's an obvious answer it's threat modeling threat modeling is uh has been around for a while at this point it's a very well understood process you you the idea is to model your application build a model of what you are building so you have a representation of it you know you can look at it and then try to apply different threats and different threat factors to it so uh stride is a threat modeling framework uh came out of Microsoft and you model out your application and you try to apply specific vectors of spoofing tampering repudiation information disclosure the all service and exhalation of privilege monic strive pretty easy remember and these are the things you're going to look at when you're threat modeling on your model you're going to look for areas where this could happen so this is a high Lev model of what pretty much every web application looks like on the back end um I mean there are bigger ones people do custom stuff but most of them have a a um public endpoint like a laugh or AWS endpoint and that goes on to an actual graph ql framework so now we're talking about inside the code the W will call and call the your server software which calls your framework and your framework is going to run and the framework is then going to call your model logic that's how all of the web uh Frameworks are set up that's how everything is set up so on a high level I actually worry about um this and and here I worry more about like stuff that would affect the framework system so stuff that would affect off which is part of the framework for me and part of frame most people the spoofing um anything that could do denial service would probably end up in the framework I mean you could have bones in your code but I worry about framework level issues for denial service and same thing with escalation of privilege I'm worried about since I use the framework for privilege access I'm I need to make sure that my framework has what I need so I need to worry about it on that level and then in a lower level in graphql you can graphql it's complex but it's not too crazy there are few parts to it the first basic part is a query and a query is you post a payload to the server and ask for what you want um you can graph Co you can request multiple objects at the same time through the graph so you can say I want the user and I want all the users posts and it'll get all four you in one go which is really awesome but also opens you up some attacks so if you have a cyclical reference you could have a very long cyclical reference attack to get service um there's other attacks that are out there and subscriptions are actually very similar to queries uh the only difference between a subscription and a query is that a subscription is done over a steady connection like a websocket and then the server keeps posting new payloads as things change so there's usually an event there's a specific subscription that you have subscribe to and when that that gets triggered the server will automatically send it to the client so that the client get updates in real time so that's it it's it's almost exactly the same as queries but it's a separate thing um and then there's also mutations mutations are awesome back when I first started everybody was moving to rest and you couldn't use RPC RPC is evil RPC is a remote procedure call and so what happened in the industry is like we have to use rest rest is where rest rest apis have Paradigm where you're posting a document and pulling the document back right that's what rest is all about but let's say I need to uh fire off an email when when somebody puts this thing well now I'm just having a side effect whenever somebody changes it there's a side effect in my code trigging something else it doesn't fit the Paradigm of I'm posting a document it's all side effects so I have hated rest for those things it it doesn't apply and RPC is server do this so so if I say server send an email it doesn't and it gives me an okay or a not um so mutations can do all that stuff they return basically the same thing as a query payload inside so you run your mutation and it can return uh data out of your mutation or from just your whole database same thing with the graph all this supports following the graph to the uh child objects and everything um and I worry on this level about tampering repudiation and expolation prage because this is where their code is actually this is where they're actually hitting your code and this is where you have to worry about actually having lock down access and actually having locked down who can touch what and things like that so mutations are where you're going to have your code doing things that aren't standard and you're going to need to worry about that stuff so my big thing that I try to tell people is to treat security like a feature request developers we get feature requests all the time and we tend to get like oh and this needs to be secure we never get a feature request of add MFA as a feature but that's a huge feature so approach security improvements of features a you can probably sell it you can get planning on it and the it lets you approach it in the full process like we do everything else because developers all have processes for approaching features and I also really like to test them like a feature I skip a f no um I also really like to test them like a feature so don't just test that the user uh my favorite example that I almost never see in a codebase is a unit test that says posting the wrong password not allowed in right you have a lot of tests that say I put my password in it works almost nobody has has not putting the password in getting blocked but don't just check that that got blocked check that you logg whatever you wanted to log check that you responded properly so that you're actually saying back to the user hey this was blocked for this reason um and all that stuff make sure you actually check all of this it really helps it helps make security easier when you do all of this it it it really helps when the problem happens having all this supports having somebody be able to figure out what's wrong so adding in this test very important to have the logs and everything else just make sure all parts of your security feature are happening um I really like functional tests unit tests are ult um and they're not bad they're they're pretty good the thing about functional tests if we look back this is from the earlier slide so we have the framework and the urm and these are controlling a huge part of what we're worried about right we're worried about how the framework is handling off and how the orm is handling checking actual database access to the items Etc uh and uh validation on on inputs as well and so if you're doing a traditional unit test what you do is you mock out everything outside of the the function that you're trying to test and you just test your specific unit of thing that you're trying to test and so if you're writing a unit test you mock out the uh you mock out the framework and you mock out the urm in a real unit test you only have your logic so you can't tell all this and at the same time you a functional test also will get you a whole breadth of coverage a functional test instead of un unit test is just one little feature a functional test is literally hit the full page have the full process of the pro of the website run and get a payload back and check that the payload looks like what you wanted uh so similar what I did here right I'm not going and checking the um add user to group function I'm calling a query from the outside and I'm getting the full response back from the server um that's a functional test um and they're awesome and they actually allow you to test the other stuff so don't just do unit tests okay how do we build a secure Foundation what time is it sorry I have to keep an eye on the clock okay so start with the framework um Reinventing the wheel is bad especially right now there are tons of great Frameworks graph is all new code from the past five six years so you're going to the Frameworks are all well made and don't reinvent the wheel graph wheel has a very complex uh has a very complex query structure that it needs to parse and parsing things is where a lot of mistakes happen so don't write your own parer use one that's already pre-made when you're picking a framework look for an active community and good docks I like to check the Repository to see what how they've responded to security issues before because you can immediately see if oh they actually respond took care of it or they said I don't know if that's a problem oh maybe we'll fix it in two years you probably don't want that framework that like is it's saying you know it's not sure if it's going to fix the the security thing right away you want the framework that's like oh security problem here's a hot fix um so check that they've done that in the past in case it happens again and another big thing that um I've seen a lot of people fall into is they'll pick a framework that's very specific to how they want things it's very opinionated so if you want all of your code to be formatted a certain way that's cool and you should do that and we'll get to that but if your Frameworks want you to format your code a certain way you can't change it if you want to change it you can't change it if something comes up that makes you change it right so if your framework is is kind of blocking you from doing other things that weren't your opinion at first it will come back back to bite you because it's going to block you from doing other things you might want so don't look for a framework that like perfectly matches what you want look for a framework that's more of a tool for you to use to build what you want because what you're going to do is you're going to take that framework and you're going to extend every class in it if you can so there's a standard model class that you're probably going to have in framework you're going to extend that and add what you want uh big ones are non-sequential IDs timestamps and uh I actually really like to disable super user functionality in Frameworks um so that there's no super user like they need a permission to actually do the thing instead of having the ability to just do whatever anything all the time so I like to disable superer entirely I like to build in off checks into the the note resolvers which is part of the graphel side in the objects um this is where you really should enforce your opinions so whatever you care about being in the object like nonsequential ideas is a big one for me um whatever you care about enforce it at this level this this is where you're kind of making your framework but you're not making your own framework you're using something else but you're making into your own okay that will allow you to build all Security One into it then you're going to have to go beyond that because it's not going to cover everything and you're going to need to find a lot of simple stuff it's probably going to seem simplistic that developers are going to need to do in the course of their business and write the functions for them so that they don't need to figure out how do I check those users active right they just call the isactive function I don't need to I don't need to um there's a whole bunch that we have in my on my team for things like permissions right I don't need to understand how the whole permission structure to work I can call the permission helper that sets up the permissions so for security and specifically for authorization stuff you can centralize it in one place you can well vet that thing and then they can call the function and know we work for them and do the job so this is part of again building an environment where they can do what they need to do is finding these simple actions I mean the the most common one um is a decorator uh the most common one is a decorator you put over your function decorators are little comments you put over a function um they're supported in a lot of languages and they usually like add something as a wrapper to the function so they wrap it in some logic and so I have decorators and I've seen decorators in Frameworks a lot of Frameworks have it um or you can basically put a decorator that says this is loading this object at the start and it will automatically load the object automatically check permissions for the user and just when the when the developer goes into in the context of starting their function they already have a vetted object that they know the user has access to and they don't need to worry about how to get it securely they have it already so that's the thing trying to enclose that logic developers don't need to worry about how do I do this securely um it seems stupid to put something like is active in this but I really wanted to point out that doing the simple stuff helps because they they might see the active thing and not be sure also you're going to get people who do it slightly differently in two places if you don't have this you're always going to have slight differences everywhere and if you ever need to expand the active thing so say you know you get a call and we're like hey we need to make sure that users who are over 2 years old can't sign in either right so you can add the check that the user hasn't signed in two years two years active if you have it here so really try to enclose your stuff in helper functions um it really helps uh checking if you user in tonal is another great one you know uh often you have functions that you don't want clients to use but only your people to use only your employees to use and so just like as active is a very simple one that is it somebody from the company is a very simple easy check um and important and again that can be very complex logic depending upon your company but if you enclose it in this the developer doesn't need to worry about knowing that complex logic they can just call your function and I also really like making test helpers because you need to help the developers make their tests right and you need to help them make their tests secure so a huge part of my work in starting my this my mid lest project was making helpers so that you could easily make a query and get it back so those function so that functional test that I showed you was one line to make a query instead of 100 to build the query and insert the stuff and get the user and say okay now pass it into the framework this way I enclose that all in the function where you can just say give it a query out a query string and a user and it takes care of everything else and gives you the response and that allows developers to develop tests quickly it make them more likely they're going to make tests and it it really helps keeps things secure because it encourages testing of this layer of stuff and we want to encourage enourage testing of this stuff so if we've done our job well at this point we have secure Behavior by default in a lot of our classes as well as sorry I'm just checking your time as well as sensitive logic that's enclosed and centralized centralization I should talk a bit more about um when you have code in multiple places it's impossible to keep up up to date it's a possible to keep all them up to date in right the same way and for off it's huge important that you don't end up with what's called like a shotgun parser so where all your checks are happening all over the place you want all your checks to happen in one place so you can understand what's going on you can understand what the checks are and and you can clearly develop it so centralization is very important for for things that SEC processes and particular authorization is a huge one um and build Tex with broad coverage I I can't stress that enough that'll help you in multiple ways but in in ter great really helps to have broad coverage I have test that I have test that check every if a user can load an object if a user can load a list of objects all that and I have a helper that does it for me so I just have one line that says get object as User make sure it can use it right if I didn't have that helper developers would probably either have a 100 different ways they're calling it to check that and they'd probably spend a lot more time or not even make the thing to check the full thing but because I made a helper and because I I made these help I let them do the Bro coverage they have a full all-encompassing test so the helpers really encourage the developers to do the right thing um we're on to the last bit of the talk which is what should I log so anybody have an answer everything is the first answer I always get you shouldn't log [Music] everything mhm resp or what to exactly what you need to audit is the big one right if you're logging everything there's a huge amount of stuff but also it you you're going to get a lot of private data in your logs too right if you're logging every request you're just going to get a lot of data that you don't want in your logs you don't want to have to treat your logs that way so pay attention to what you are logging and log specific things that help you thinking about repudiation is a lot of what I do so the audit stuff think about okay somebody's going to come and say I didn't do this action you're going to need say no that user click this button at 10:53 on Thursday um when somebody asked what on Earth happened to this you know you're going to need to figure that out if it's something important um and I stress Don't