API Academy

Sponsored by Layer7

A close up of the key pad on a computer keyboard

Emerging Protocols and Security

By Bill Oakes, CISSPPosted on

In the past few years, there has been a growing interest in emerging protocols such as GraphQL and gRPC. These protocols offer a number of advantages over traditional REST APIs, such as improved performance, scalability, and flexibility. As a result, they are increasingly being adopted by enterprise architects for a variety of use cases.

What is GraphQL?

GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. It allows clients to ask for exactly the data they need, without having to know about the underlying data structures. This makes it a more efficient and flexible way to interact with APIs.

GraphQL is a relatively new protocol, but it has already gained a lot of traction in the enterprise world. It is being used by companies like Facebook, GitHub, and Spotify.

What is gRPC?

gRPC is a high-performance, open-source remote procedure call (RPC) framework that uses the HTTP/2 protocol. It is designed to be efficient and reliable, making it ideal for microservices architectures.

gRPC is also a relatively new protocol, but it has quickly become popular among enterprise architects. It is being used by companies like Google, Netflix, and Uber.

Use cases for GraphQL and gRPC

GraphQL and gRPC can be used for a variety of use cases in the enterprise, including:

  • Building modern web applications: GraphQL can be used to build modern web applications that are more efficient and flexible than traditional REST APIs.
  • Developing microservices architectures: gRPC can be used to develop microservices architectures that are more efficient and scalable than traditional monolithic architectures.
  • Creating real-time applications: GraphQL and gRPC can be used to create real-time applications that require low latency and high throughput.
  • Providing APIs for mobile devices: GraphQL and gRPC can be used to provide APIs for mobile devices that are efficient and easy to use.
  • Enabling serverless computing: GraphQL and gRPC can be used to enable serverless computing, which can help to reduce costs and improve scalability.

Security implications of GraphQL and gRPC

GraphQL and gRPC are both secure protocols, but there are some security implications that enterprise architects should be aware of.

GraphQL

GraphQL inherits many security aspects from REST APIs: you can use OAuth to get a token, and use that token to consume a GraphQL API for example. However, any security rules that were built around REST concepts may not be applicable for GraphQL and need to be revised. For example, you may have different rules for your REST APIs that are based on the HTTP verb (GET vs POST or DELETE). This concept does not apply to graphQL, you need an understanding of the schema of the API to know the different mutation operations. Also, you may have rules that take the URI as a resource ID

“HTTP GET myapi/resource/{id}â€

In GraphQL all queries are going to the same URI and you need to parse the query to understand which resource is affected. The same thing applies for response codes which sometimes are used in security rules such as limiting the number of failed attempts. In a REST API, you can inspect the HTTP code to differentiate between successes and failures whereas in GraphQL, errors are embedded in responses and typically come back as 200 status.

Another API security aspect that is affected by GraphQL is metering. REST APIs are commonly rate limited and service level agreements often include maximum number of API calls per day or other time period. In GraphQL, multiple requests can be concatenated together in one, messing up these simple concepts of counting API calls. A malicious graphql requester could more easily abuse an API by crafting queries with infinite complexity in an attempt to dos an API.

gRPC

The primary security concern with gRPC is that it uses the HTTP/2 protocol, which is not as secure as the HTTPS protocol. This is because HTTP/2 does not encrypt the entire request and response messages. To mitigate this risk, enterprise architects should use the HTTPS protocol for all gRPC communications.

For both GraphQL and gRPC, a hardened API Management platform with security policies in place will help mitigate against these threats.

Conclusion

GraphQL and gRPC are emerging protocols that offer a number of advantages over traditional REST APIs. They are increasingly being adopted by enterprise architects for a variety of use cases. However, there are some security implications that enterprise architects should be aware of. By carefully considering these implications, enterprise architects can use GraphQL and gRPC to build secure and efficient applications.

In addition to the security implications mentioned above, enterprise architects should also consider the following when choosing between GraphQL and gRPC:

  • Performance: GraphQL is generally more performant than gRPC, because it can be used to fetch exactly the data that is needed.
  • Scalability: gRPC is generally more scalable than GraphQL, because it can be used to support more concurrent connections.
  • Complexity: GraphQL is more complex than gRPC, because it requires more knowledge of the underlying data structures.

And as noted, a properly configured hardened API management solution will help mitigate against new security implications. The best choice for a particular use case will depend on the specific requirements of the application.