Summary of Applying LangSec principles with GraphQl - Mike Williamson (BSides Halifax 2020)

This is an AI generated summary. There may be inaccuracies.
Summarize another video · Purchase summarize.tech Premium

00:00:00 - 00:40:00

This video explains how LangSec principles can be used to secure a GraphQL API. The presenter demonstrates how to create a custom scalar type that is resistant to exploitation, and how to use introspection queries to check input for correctness.

  • 00:00:00 Mike Williamson, a developer with a passion for digital government, will discuss GraphQL and Lang SEC. He explains that Lang SEC is a corner of the security world known for its many security issues, and that GraphQL can help reduce these issues by treating input as a language. Williamson will present a recognizer pattern, which is a common pattern in Lang SEC.
  • 00:05:00 The video introduces GraphQL, which is a query language that is specifically designed for Graph databases. The video then goes on to demonstrate how GraphQL can be used to create an application firewall. By specifying the language and grammar, developers are able to create their own nouns and verbs, and attach functions to them to handle requests. This gives developers a scenario where they are the queries coming at the system, and the system is written in the GraphQL language.
  • 00:10:00 The video discusses the use of LangSec principles in GraphQl. The presenter provides an overview of the GraphQl library and discusses how it can be used to parse and generate structured data from a query. The presenter also demonstrates how the GraphQl library can be used to recognize patterns in input data.
  • 00:15:00 This YouTube video demonstrates how to apply LangSec principles to GraphQl. The video features a query schema that accepts user input, and a resolve function that deserializes the input into a graphical string. The video then demonstrates how to inject malicious code into the resolve function, resulting in a buggy table.
  • 00:20:00 The video discusses the anti-pattern of accepting complex data, and how GraphQL can help reduce the number of strings in an application. GraphQL has a metadata schema which allows you to query any end point about the data it exposes, and this can be used to inspect the data types and relationships within an application.
  • 00:25:00 This video demonstrates how to use LangSec principles to track down malicious input into a GraphQL API. The tool uses Google's GraphQL API to query for invalid input and rejects it without running the code. This makes it harder for attackers to formulate malicious queries.
  • 00:30:00 This YouTube video explains how GraphQL can be used to create custom scalar types that are resistant to exploitation. GraphQL allows developers to create types that are primitive values, such as scalar types of strings, integers, and boolean values. This makes it easier to create types that are resistant to exploitation, as developers no longer need to worry about complex object structures. Additionally, GraphQL allows developers to enforce these types on the way in.
  • 00:35:00 The speaker discusses how using LangSec principles can be applied to GraphQl, an open-source data analysis tool. They discuss the benefits of GraphQl and its ability to check input for correctness. They also mention the introspection query, which allows for security checks on data.
  • 00:40:00 The presenter discusses how LangSec principles can be applied to GraphQL, and how introspection queries can be used to secure systems. The presenter also reminds attendees that the security innovation CTF is still ongoing.

Copyright © 2024 Summarize, LLC. All rights reserved. · Terms of Service · Privacy Policy · As an Amazon Associate, summarize.tech earns from qualifying purchases.