Case Study

Case Study: How Thinkific has achieved enterprise-grade GraphQL security with Escape

Alexandra Charikova

4 min read
Case Study: How Thinkific has achieved enterprise-grade GraphQL security with Escape

Thinkific, a leading platform for creating and selling online courses, stands out for its commitment to flexibility and innovation. This dedication to innovative technologies led them to embrace GraphQL APIs as the center of their federated architecture. This system would aim to consolidate multiple existing APIs under one branch. However, achieving this goal while keeping control of the cyber risk is a hard task.

Thinkific security team searched for the best solution to achieve the security of these new federated GraphQL APIs. They decided to go with Escape as their full lifecycle API security solution.

Use cases

  1. Access Control testing at scale
  2. Achieve full security observability on GraphQL
  3. Live Protection against GraphQL API attacks

Thinkific chose Escape to make sure their GraphQL APIs are 100% secure

The problem

Thinkific faced a significant challenge when they decided to open their GraphQL APIs publicly through a federated Graph powered by Apollo Node.js Gateway.

The decision to expose their GraphQL APIs to the public brought a set of complex problems requiring innovative solutions.

đź’ˇ
The key problems included :

1. Ensuring robust Access Control to prevent security flaws in the federated Graph.
2. Addressing the lack of observability of security risks associated with GraphQL endpoints deployed to production.
3. The need to add a dynamic security layer to their GraphQL endpoint - a blind spot for most security teams.

Aleksandr Krasnov, Staff Security Engineer at Thinkific, was looking into an application security solution specifically dedicated to GraphQL security and came across a blog post on this topic written by the Escape team.

"We already were in the vetting stage for GraphQL Security vendors and haven’t found the one that would work specifically for Apollo, so when we saw Escape, it was an easy sell."
Aleksandr Krasnov, Staff Security Engineer, Thinkific

The solution

Upon implementing Escape, Aleksandr saw immediate results:

Comprehensive security testing

Escape provided Thinkific with a clear production-grade roadmap based on their own comprehensive security test set of 50+ security tests for GraphQL, including OWASP Top 10, business logic, and access control.

Thanks to Escape's built-in support for Federated GraphQL and Subgraphs, Thinkific's GraphQL API setup proceeded seamlessly without encountering any issues.

Using Escape’s developer-friendly remediation code snippets, Thinkific’s Engineering team was able to quickly take actions on the result and improve the cyber-resilience of their federated API.

Thinkific then integrated GraphQL Armor, Escape’s live protection plugin, to mitigate more security flaws and give attack-blocking capabilities to its GraphQL servers.

Instant visibility into all threats

Upon implementing Escape, Thinkific quickly gained full visibility into its GraphQL vulnerabilities. Escape interface provides a comprehensive view of the organization's API issues landscape:

Level of detail on vulnerabilities that Escape provides

With a clear understanding of the most important vulnerabilities and how to fix them, Thinkific was better equipped to allocate resources and focus on what needed protection.

How Escape stood out for Thinkific

According to Aleksandr, Escape stood out from the competition for three primary reasons:

  1. Robust support of Thinkific’s modern tech stack: Federated Apollo GraphQL
👉
By default, Apollo allows the entire API schema and queries to be discovered, which amplifies the critical security risk associated with it.

2. Escape uses GenAI technology to detect and report all GraphQL vulnerabilities. This gives Thinkific a clear visibility into issues within GraphQL and how to remediate them.

3. Escape security scanner deeply understands how GraphQL queries are processed and executed by the GraphQL server.

"Escape - is the only security scanner for GraphQL that is engine aware and developer friendly."
Aleksandr Krasnov, Staff Security Engineer, Thinkific
Want to see Escape in action for your GraphQL APIs? Book a demo with us 👇

Escape is there with Aleksandr and his team at Thinkific every step of the way. A dedicated tech team offers continuous support and swiftly addresses any technical issues or requests, ensuring smooth day-to-day operations.

The impact: fully secure GraphQL applications

We were able to get 100% visibility into our GraphQL vulnerabilities

Having visibility is the primary concern

While Thinkific is still in the early assessment stages with Escape, they have already experienced improvements.

  • Enhanced visibility into issues within their GraphQL infrastructure, thanks to Escape's security scanning capabilities.
  • Reduction of the API security risk by 50% in the first weeks of usage.
"It's been a huge benefit for the security team."

Future plans

With their current collaboration's success, Aleksandr looks forward to continuing his partnership with Escape. He found Escape to be a crucial part of their GraphQL security efforts.
Now, Thinkific is planning on integrating Escape deeper in the development process using the Shift-left CI/CD integration to achieve early, developer-friendly security testing.

"I'd definitely recommend Escape to other companies who are using GraphQL in a mature way"- says Aleksandr

Start securing 100% of your APIs for free

Get a complete inventory of your APIs and start fixing your vulnerabilities with detailed solutions for developers.

No credit card is required.

🚀 Get started now

Discover more Escape's application security case studies: