Down the Rabbit Hole: Exploring GraphQL Exploitation |
Using WebAssembly to run, extend, and secure your application |
Far from green fields - introducing Threat modelling to established teams |
"Down the Rabbit Hole: Exploring GraphQL Exploitation" is an in-depth exploration into the world of GraphQL from a security perspective. This talk is designed for those with a keen interest in understanding the latest advancements in web technologies and their potential vulnerabilities. It provides a roadmap to navigate the complexities of GraphQL, demonstrating efficient methodologies for building and consuming APIs while highlighting potential security risks.
The talk delves into the diverse ecosystem of tools, libraries, and frameworks available across various programming languages, offering real-time data updates through its subscription mechanism. It also discusses the practical implementation and integration of GraphQL in different environments, emphasizing potential security implications. Whether you’re an experienced developer or a cybersecurity professional, this talk will arm you with the necessary knowledge and tools to effectively exploit and secure GraphQL implementations.
WebAssembly (WASM) has come a long way since its first release in 2017. As a technology stack running inside the web browser, it even allows products like Adobe Photoshop to run in that context. Now with a standard called WASI, WASM is expanding beyond the browser to run in a server-based context.
Had WASM and WASI been around in 2009, Docker would not have existed according to one of its founders, Solomon Hykes. WASM has a strong security posture given how it works with linear memory space and how it supports a sandboxed-based environment called “nano-process”, which uses a capabilities-based security model.
In this session we'll start out with going through some of the basic security features of WASM and then move to running and extending an application it with WASM. After that we'll focus on the security features and use the sandbox and the capabilities based security model to limit what it's allowed to do.
'Far from green fields - introducing Threat modelling to established teams' takes a look at the unique challenges of introducing Threat Modelling to well established software teams.
Microsoft introduced threat modelling as part of the trustworthy computing initiative back in the early 2000s. This was in response to issues they were facing maintaining the trust of their user base in the light of several high profile security issues. Nobody would categorise Microsoft as a startup in 2002 and nobody at Microsoft was suggesting that they stop moving forward with planned features and advancements while they adjusted their practices. Why is it so that so much of the material available to support you as you roll out threat modelling describes it in the context of greenfield projects? Most of us need to know how to successfully introduce this highly effective shift-left security practice to real teams; teams that are running at pace on the tread mill of change, spinning the plates of customers commitments and feature enhancements. In this talk, I will share the experiences of a 3 year journey I have been on to introduce threat modelling to my colleagues across a range of product offerings. We made some mistakes, we learned some lessons the books could not have taught us but ultimately we succeeded and in succeeding we learned that introducing threat modelling is only the beginning.
Originally conceived in a pre-COVID world, this talk has been updated to include a look at the challenges and some surprising advantages of threat modelling on remote teams, the impact of legislation and the pros and cons of AI for the practice.