You added security measures to all your subgraphs and are sure you're safe? Think again. In a federated GraphQL system, the most significant risks often hide not within individual services, but within the logic and trust assumptions of the federation layer itself. This talk explores how federated GraphQL architectures introduce a new class of security challenges that traditional testing and validation frequently overlook. We'll walk through practical examples based on real-world use cases and both offensive and defensive insights, showing why stitching secure services together doesn’t automatically result in a secure supergraph. Attendees will see federation-specific threats in action, learn important security concepts, and walk away with actionable strategies for hardening routers, auditing configurations, and building safer service interactions. We'll also share PoC code and conceptual outlines for detection tooling to help apply these learnings in real-world systems. An engaging, practical, and scenario-driven session - especially relevant for developers and security engineers working with federated GraphQL systems.
Application Security Researcher, JFrog, JFrog
I'm an Application Security Researcher passionate about breaking assumptions in modern web technologies. From protocol quirks to real-world vulnerabilities, I explore how small oversights lead to big security issues. My work often blends offensive research with practical defense, aiming to make the internet a little safer and a lot more interesting.
Join three transformative days of expert insights and innovation to shape the next decade of APIs!