Resource Center  >  Blog

Security Testing Automation for GraphQL APIs, with Bright

November 5, 2020
Oliver Moradov

Bright’s ability to work with modern technology stacks and API security testing now includes full support for GraphQL APIs, enabling our customers to simplify, automate and scale their security testing even further with our solutions, as they embrace new architectures.

Developed internally by Facebook and released publicly in 2015, the rise in popularity of GraphQL has grown exponentially, and we are excited to support our clients who join the many household names that are embracing GraphQL, including Github, Twitter and Airbnb.

Our GraphQL API security testing support exemplifies our dedication to enabling our clients, at the forefront of modern technology, to integrate application security testing across their CI/CD pipelines and to reduce their reliance on manual testing.

The Rise of GraphQL

What has driven this rise in popularity? Advantages of a GraphQL API include:

Microservices Friendly, just like Bright – GraphQL API handles communication between multiple microservices, merging them into one GraphQL schema, great when migrating from a monolithic application to a microservice architecture.

Single API call, with precise data fetching – Whereas REST APIs lack granular control over data, resulting in the over-fetch or under-fetch of data, GraphQL delivers a modern, simple, efficient and flexible way to improve client-server interactions, by enabling the client to make a single API call to obtain the precise data its needs, maximising performance.

Rapid production iterations – with GraphQL, changes in front end code do not require the restructuring of code by the backend engineers, so frontend developers can promptly respond to user feedback and make the changes.

Eliminates versioning – API evolution with REST results in API versions, however GraphQL eliminates versioning by deprecating APIs on a field level, removing them from the schema without impacting the existing queries. This single, evolving version provides applications with continuous access to new features.

API documentation Automation – Documentation updates are synchronised with API changes. As the GraphQL API is closely coupled with code, once a field, type or query changes, so do the docs, meaning developers spend less time documenting an API, always a good thing!

An innovative API, needs an innovative DAST 

You are at the forefront of technology and have invested in GraphQL for automation, accuracy, superior performance and speed. 

Bright is your security partner with a technology that mirrors these deliverables, with innovative AppSec testing automation built from the ground up with a Dev First approach, to test modern WebApps and APIs as part of your CI/CD.

Supercharge your GraphQL (or REST and SOAP) security testing with Bright. 

Key features of our GraphQL testing include:

We Understand
Unlike any other DAST tools, we automatically parse the data types to understand their context, to leverage sophisticated attacks and analyse the responses to evolve the payloads further.

Full depth parsing
Ability to parse varying interaction definitions, such as an XML object inside a GraphQL query, or vice versa

Sophisticated Payloads
Compliance testing to detect the OWASP API Top 10 and more, or carry out API Fuzz testing with Bright.

CI/CD Integration
Integrate via Rest API, our CLI for developers, or with common tools such as CircleCI, Jenkins, Jira or Github to carry out incremental scanning to empower your developers to detect and fix vulnerabilities on every build as part of your CI/CD, leveraging multiple discovery methods to initiative a security test, including:

  • Crawler – proprietary and advanced to detect and parse GraphQL
  • HAR files
  • OpenAPI (Swagger) files 
  • Postman Collections

To find out how you can leverage our technology to test your GraphQL, please be in touch or request a demo here.

The Role of AI in Application Security

Wednesday, March 6th 9:00 am PT

In today’s interconnected digital landscape, data exchange plays a pivotal role in web applications. Extensible Markup Language (XML) is a

See more

In the previous segment of our blog series, we looked at the operations of Ryuk and Conti ransomware groups, shedding light on their tactics and impact. In this section, we turn our attention to Maze and Lockbit, two formidable players in the cyber threat landscape, exploring their collaborative dynamics, unique characteristics, and the evolving strategies that define their ransomware campaigns. 

See more

Part 1 of 2 In the dynamic landscape of cyber threats, the battle between ethical and malicious actors has escalated

See more
Get Started
Read Bright Security reviews on G2