Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Open Source GraphQL APIs Will Gain Steam, But Can Security Keep Pace?
By Shahar Binyamin, CEO and co-founder at Inigo
The stakes of API modernization will
reach a tipping point in 2023. Application developers and DevOps teams are
under increasing pressure to do more with less-with cost and workflow
efficiencies top-of-mind. GraphQL has strong answers for both of those
concerns, and the open source API data query language is poised to have an
outsized impact in the coming year. However, expect DevSecOps, security, and
even developer teams themselves to also clamp down on API security as they
avoid some of the adopt-first-secure-later pitfalls of other developer-led
technology movements.
Expect:
1) The developer-led push to
GraphQL-as a replacement for legacy REST APIs-will continue to accelerate.
GraphQL will gain even more steam in
2023 as developers bring the open source solution into their organizations.
Traditional REST APIs must access multiple URLs to load data and then rely on
server connectivity to manage data. It's a heavy lift. In contrast, GraphQL
APIs can collect all necessary data with a single request, allow applications
to control their own data directly (rather than via a server), and are
responsive even with slow network connectivity. These simplicity, flexibility,
and scalability differences underpin the performance advantages that are
driving developers to GraphQL.
For the many teams still grappling
with the limitations of REST APIs, making the shift to GraphQL will become
increasingly desirable-both for developer productivity and competitive
differentiation. From application capabilities to time-to-market, this API
modernization will give organizations a meaningful leg up in 2023 (and do so
even if technology budgets shrink).
2) GraphQL security incidents will
increase.
Just as teams are ramping up their
utilization of API connectivity to enable fresh user experiences and
functionality, attackers are now focused on testing whether those APIs are
secure or not. A recent Salt Labs API security report finds that
attacks targeting APIs have increased by 681% in the past year. While less than
10% of enterprises used GraphQL in production as of 2021, Gartner research
indicates that more than 50% will by 2025. Over that
time, almost all-95%-of organizations
report experiencing an API security incident. Such attacks are likely to
increase in 2023, as more attackers explore the opportunities (and
vulnerabilities) of those API attack vectors.
Developer teams hurrying to adopt
GraphQL have, in many instances, done so without a thorough approach to
security. This isn't sustainable at scale and, in 2023, I expect GraphQL
adoption practices will mature such that more developers embrace an active
security stance from the moment the organization begins using it.
To implement GraphQL securely, teams
need to ask themselves, in the event of an incident, whether they have
visibility into what data was accessed and by whom. They also need to ask
whether their current WAF handles GraphQL APIs, and whether they can identify
the percentage of their APIs that are GraphQL APIs. Questions like these will
raise the issues developer teams will need to address ahead of a security
GraphQL implementation. Once visibility, access controls, and firewall
implementations are trustworthy and meet organizational standards, teams will
have more confidence to implement and scale GraphQL.
3) GraphQL adoption will buoy
developer recruitment and retainment-especially as organizations work to
support the developer experience.
GraphQL is a developer-driven
movement for a reason. While technology leadership might be most drawn to the
efficiency gains GraphQL unlocks, developers are excited to get their hands on
an open source solution that lets them make the most of their time and talents.
But tech leaders will increasingly recognize GraphQL adoption as a valuable
draw from a recruiting and retainment perspective, with talented developers
tired of wrestling with REST APIs ready to work with more modern technology.
However, for all its benefits,
GraphQL places pressure on developers to be self-reliant, given the newer API
technology's relative lack of support platforms and developer tools. GraphQL's
developer experience often suffers if limited visibility becomes an issue. In
2023, expect organizations to address this need by introducing visibility and
CI/CD integration tooling to ensure higher-quality developer experiences,
turning this shortcoming into an asset. More effective monitoring and
observability planning-and tooling-will optimize GraphQL server operations and
scaling. On the security front in 2023, expect teams to prioritize universal
security layers that automate attack detection and mitigation, harden attack
surfaces, and provide effective access controls.
##
ABOUT THE
AUTHOR
Shahar Binyamin is the CEO and co-founder at Inigo, which focuses on GraphQL security and management tools for
developers and DevSecOps teams. A software engineer by trade, he has extensive
experience working on high-profile enterprise application and security
projects. Among his roles, Shahar spent several years within the InfoSec Unit
of the Israeli Defense Forces. He has also led product development at Dropbox
and Kiteworks, with a focus on ensuring data and API security. He co-founded
Inigo to address the disconnect between developers using GraphQL and the API
security and operation challenges they were having. Shahar lives in Silicon
Valley, where Inigo is headquartered.