Emerging Security Tools Tackle GraphQL Security

One good thing about GraphQL is that the query language makes it easy to interact with structured data and perform multiple actions with a single API call. However, that same flexibility makes APIs built using GraphQL more difficult to secure, potentially exposing more data than intended.

Salt Security recently updated its Salt Security API Protection Platform to offer more robust tooling for securing GraphQL APIs. The tools rely on artificial intelligence and machine learning to generate a baseline of normal API behavior and identifying malicious efforts when the actors are probing the APIs as part of their reconnaissance activities. The company’s goal is to proactively provide developers with tools for securing these APIs before the attacks become more commonplace.

GraphQL is an open source data query language that is gaining traction among many developers as a declarative alternative to REST APIs for fetching data. Originally developed by Facebook and open sourced in 2015, GraphQL enables clients to specify exactly what data it needs from an API and underlying services without writing parsing code. GraphQL is organized in terms of types and fields rather than traditional endpoints.

Developers like GraphQL because it is very efficient to exchange information, but its call and response format introduces new risks, says Elad Koren, chief product officer of Salt Security. GraphQL APIs can include many nested requests inside a single API call, which adds to its complexity.

“The biggest advantage is the ability to request exactly what is needed — not more, not less,” Koren says. “But that is also a significant vulnerability, since the data is not limited by structure, and it relies on the API to be properly constructed.”

Something that would be a minor permissions and authorization issue in the REST API limited to subset of endpoints could wind up creating a significant attack surface in GraphQL, Koren says.

GraphQL developers will be able to use Salt Security’s platform to discover APIs and where they expose sensitive data, mitigate data exposure, stop attacks, and eliminate vulnerabilities, the company says. The platform parses the complex structure of the…