LeadershipSecurityFeatured
Security Vulnerabilities Were Accumulating in Our GraphQL Stack
Active CVEs in a production compliance platform. Audit scheduled. Limited team capacity. Every new feature built on a deprecated foundation.
Situation
You're the lead engineer at a compliance SaaS platform. Your GraphQL stack is 2+ years outdated. A security scan just flagged two active CVEs: a DoS vulnerability via malicious file uploads and a SQL injection vector in the type system. A compliance audit is scheduled in 6 weeks. Your team is 3 engineers — one is mid-sprint on a customer feature.
Stakes
- Active CVEs in a production compliance system handling sensitive data
- Compliance audit in 6 weeks — auditors will check dependency versions
- Every new feature is built on a deprecated, vulnerable foundation
Two active CVEs in production. Audit in 6 weeks. Team of 3. What's your approach?