If You’re Using GraphQL, you must have Inigo

I’ve spent the past couple of days looking over inigo.io, a GraphQL security and management platform for APIs. This basically works by running an agent alongside your GraphQL server. It comes with a very seamless integration with a whole host of servers (see the docs).

Developers, DevOps and Security Architects are just a few of the typologies that can greatly benefit from Inigo.

First, as a developer, you’ll improve the efficiency of your operations, analytics, schema planning, and overall every step in your API lifecycle.

As a security professional, this is one of the best ways to deal with access controls, query protection, and rate limits.

As a security professional myself, I always recommend clients in my pentests to disable Introspection queries for example. However, you don’t need to do that if you’re using Inigo because you can implement RBAC introspection separation, which looks something like this.

Also, schema-based access control is something many devs and sec people are looking for. Inigo comes with role-based declarative configurations giving you high granularity for types, fields, and arguments.

I can go in much more depth (from a security perspective) when it comes to what Inigo enables you for rate limiting and query protection. Likewise, Devs and DevOps are probably the ones who can rejoice even more. They are not my area of expertise though, and I won’t bore you with all the details. Read the docs and see how it suits your needs (it’s got many easy-to-follow tutorials).

Now, if you just want to test the waters, as I did in the first place, head over to app.inigo.io, sign up, and use the Starwars Demo setup to get the feel of everything.

Once you’re set up and in the dashboard, you can see a bunch of analytics filtered for whatever timeframe you want.

What I like a lot here is that it shows you the latest errors, the users with errors, and some potential bottlenecks in your API implementation.

Then, the Explore tab gives you many more ways to look into each individual query.

And you can also see the sanitized version, such as with intentional or unintentional abuse. As a cybersecurity professional, it’s much easier when a client gives me access to their Inigo account and I can inspect everything.

Schema View is exactly what you think it is. What I like is that it’s version controlled and downloadable.

At this point, I probably didn’t tell you much about the CLI, which lets you manage your configurations and can be used in the terminal or integrated with your CI/CD pipelines. (again) It’s all in the docs, but I had to mention it.

The two strongest points, in my view, are the Config and the Playground. Config is the meat (if I may), the selling point, or one of the unique values Inigo brings.

You’ve got high granularity for setting up and editing configurations for aspects such as the service itself, security, access controls, and much more.

And of course, the Playground, where you can test everything out.

As I said previously, given the modern short attention span, I won’t go into further details, at least not for now. I gave you my current perspective on Inigo, as an appsec professional.

I’m recommending this solution to my pentesting clients and I’m definitely on the lookout for future feature releases from Inigo.