SlideShare a Scribd company logo

NoSQL, no security?

W
wurbanski

"NoSQL, no security?" AppSec USA 2012, Austin, Texas. Presented by Will Urbanski (@willurbanski)

Technology
1 of 49
NoSQL, no security? Will Urbanski Vulnerability Management, Dell SecureWorks
What we will cover today § Why look at NoSQL security? § Relational Database attack vectors § NoSQL attack vectors § Securing NoSQL deployments 2 10/27/12
Why look at NoSQL security? 3 10/27/12
NoSQL is popular •  Scalability •  Redundancy •  Flexibility •  Rapid development / deployment •  Cost 4 10/27/12
“Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.” [redis.io] 5 10/27/12
“The most effective way to reduce risk for MongoDB deployments is to run your entire MongoDB deployment, including all MongoDB components in a trusted environment” [mongodb.org] 6 10/27/12
“When you start out fresh, CouchDB allows any request to be made by anyone. [..] it should be obvious that putting a default installation into the wild is adventurous. Any rogue client could come along and delete a database.” [guide.couchdb.org] 7 10/27/12
8 Confidential 10/27/12
9 Confidential 10/27/12
Relational Databases (RDBMS) •  Relative Feature Parity •  Integrated Security Features –  Authorization –  Authentication –  Confidentiality 10 10/27/12
RDBMS Attack Surfaces •  Software vulnerabilities •  Injection Attacks •  Credential brute forcing •  Privilege escalation –  Offline storage –  Authentication protocols •  Authorization weaknesses •  Insecure configurations –  MITM –  Replay attacks 11 10/27/12
Does NoSQL mean “No Security”? 12 10/27/12
Injection 13 10/27/12
Injection Attacks •  Database diversity is increasing ›  Command-based queries ›  CQL ›  JSON ›  BSON ›  Javascript ›  Custom query languages •  Injection attack surface is increasing –  Query injection –  Schema injection –  Javascript injection •  Attack complexity is increasing 14 10/27/12
Collections Tables Collections 15 10/27/12
Schema Injection •  Allows an attacker to insert arbitrary key/value pairs into a document –  Attacker can also change the data type of a key •  Feasible when an application iterates POST values to create documents 16 10/27/12
Schema Injection •  Schema injection can also be utilized to override existing fields. –  JSON object (replacement occurs in code) –  Query (replacement occurs on DB) •  Last key takes precedence over previous fields. 17 10/27/12
Schema Injection •  If non user-specified attributes are included before POST is iterated, the client can inject or modify protected attributes. •  Think ‘HTTP Parameter Pollution’ 18 10/27/12
Schema Injection Mitigation •  RDBs mitigate this through the use of strongly typed tables. •  Key enforcement –  Whitelist POST data values that can be added to the document ›  ‘email’, ‘firstName’, ‘lastName’ should always be set via POST. –  Blacklist application-managed keys ›  ‘is_admin’ can never be set via POST. •  Replace or concatenate –  When using native JSON objects, add application-managed keys after adding user inputs. –  When using strings, always concatenate application-managed keys. 19 10/27/12
Query Injection •  There are safe and unsafe ways to build JSON queries. •  The good news is… –  Most languages that have implemented JSON-like dictionaries as native objects implement them safely. –  dict = {‘email’: email ,’password’: password} •  The bad news is… –  Strings still exist and can be abused to inject into queries on poorly written applications. –  dict= “{‘email’:’%s’,’password’:’%s’}” % (email, password) •  Language-specific constructs can also be abused –  PHP’s superglobals –  String to JSON conversion 20 10/27/12
PHP’s Superglobals •  PHP automatically converts superglobal values to multidimensional arrays –  $_POST – for working with HTTP POST data –  $_GET – for working with HTTP GET data •  This is very handy when working with web forms –  <input type=“text” name=“person[name]” value=“”> –  Can be referenced via $_POST[‘person’][‘name’] •  PHP also uses arrays to represent MongoDB documents –  $user = array( ‘email' => ‘will@localhost', ‘password' => ‘mmmfrenchtoast', ‘date_created' => ‘2012-06-15’ ); 21 10/27/12
PHP’s Superglobals •  Adversaries can weaponize superglobals by inserting MongoDB comparison operations in HTTP GET or POST keys –  forgot_password.php? email=will@localhost&security_question[$ne]=1 –  Array ( “email” => “will@localhost”, “security_question” => array(“$ne” => 1) ); •  Kudos to Bryan Sullivan @ Adobe for identifying and reporting this http://blogs.adobe.com/asset/files/2011/04/NoSQL-But-Even-Less-Security.pdf 22 10/27/12
Javascript Injection (SSJI) •  Native Javascript support –  Supports Map/Reduce functionality –  Compensates for a lack of native SQL functions ›  Batch processing of collections ›  Aggregation •  Persistent or passed via client •  MongoDB and CouchDB application architectures –  db.eval() –  $where –  Temporary views 23 10/27/12
Mitigating Injection Attacks •  Use safe string / JSON operations –  Escape input –  Avoid string concatenation when building queries –  Use native JSON-like objects when available •  Be careful when utilizing GET and POST variables –  Check for use of $operators –  Validate strings do not contain JSON •  Validate document schemas before writing to the database •  Identify and sanitize Javascript in application inputs –  Check for server-side Javascript injection on IPS/WAF, if applicable •  Ensure your defense in depth strategy is looking for these attacks 24 10/27/12
Authentication 25 10/27/12
Authentication •  Authentication issues: –  Weak authentication methods –  Weak password storage methods –  Password bruteforcing opportunities •  RDBMS –  Rich authentication support –  Account credentials are hashed when stored offline 26 10/27/12
Local-only security model •  “When you start out fresh, CouchDB allows any request to be made by anyone. [..] Everybody has privileges to do anything. Neat.” [guide.couchdb.org] •  “If there are no admin users, one may access the database from the localhost interface without authenticating.” [mongodb.org] •  Limited security by default •  Localhost only •  Rapid development •  Ease of use •  Growing pains •  Authentication methods don’t always effectively scale beyond localhost 27 10/27/12
Weak authentication methods 1.  HTTP/RESTful authentication 2.  Non-HTTP/RESTful authentication 28 10/27/12
HTTP/RESTful authentication •  HTTP BASIC, DIGEST or Cookie-based auth •  May require a reverse proxy server –  Vulnerable to replay and MITM attacks –  Insecure if SSL/TLS/encryption is not implemented or compromised 29 10/27/12
Non-HTTP/RESTful solutions •  Ideally would use a challenge-response authentication protocol •  Should be resistant to replay attacks •  Clear-text passwords should be avoided 30 10/27/12
Weak password storage methods •  Passwords should never be stored in the clear –  Redis, CouchDB (some cases) •  Passwords should be hashed or encrypted –  Preferably with a secure hashing algorithm –  MongoDB ›  MD5(username + “:mongo:” + password) –  CouchDB ›  Salt is a randomly generated 128-bit UUID ›  PW = “-hashed-” + SHA1(password + salt) + “,” + salt •  Access to password storage should be limited 31 10/27/12
Password bruteforcing •  Online password bruteforcing –  Redis’ AUTH commands are not rate limited or restricted in any way –  An attacker could repeatedly issue the AUTH command until the correct password was identified 32 10/27/12
Authentication •  Authentication schemes vary widely depending on the NoSQL database being used •  Native authentication schemes are relatively weak –  Replay attacks –  Password bruteforcing –  Information leakage •  Pluggable authentication is generally not supported 33 10/27/12
Authorization 34 10/27/12
Authorization •  Specifies access rights to resources and operations within the database •  SQL’s Data Control Language (DCL) –  GRANT, REVOKE 35 10/27/12
NoSQL Authorization •  Architecture dependent •  Per-database, not per-collection •  Generally course-grained 36 10/27/12
Each architecture is different •  No corollary for SQL’s DCL •  Common authorization features: –  ADMIN role –  Differentiation between Read and Write –  Authorization not required until enabled 37 10/27/12
Inventive Solutions •  Validation Functions •  Role-based Access Control –  User roles –  Security groups •  Command Renaming –  Authorization through obscurity 38 10/27/12
Confidentiality 39 10/27/12
Confidentiality •  Protect data at rest and in transit •  Confidentiality in transit –  SSL/TLS –  Mutually verifiable (key exchange) •  Confidentiality at rest –  Integrated cryptographic functionality –  Ability to encrypt data in the database –  Easy access to hashing functions 40 10/27/12
NoSQL Confidentiality •  In transit –  Some SSL support –  HTTP/REST-based solutions generally recommend use of HTTPS reverse proxies –  Non-REST based solutions recommend the use of stunnel, VPNs, or a transport-layer encryption technology •  At rest •  Third party applications exist to provide advanced authorization and confidentiality functionality to existing databases 41 10/27/12
Securing NoSQL 42 10/27/12
Securing NoSQL •  Trusted operating environment –  Scoping –  Identifying ingress and egress •  Compliance Issues –  PCI •  Compensating Controls –  Architecture limitations 43 10/27/12
#1 Understand your solution •  No two NoSQL solutions are the same –  Read the manual! •  Understand the environment –  Define “trusted environment” –  Understand ingress/egress •  Architecture –  Software –  Capabilities –  Controls •  Defense in Depth 44 10/27/12
#2 Beware architecture creep •  Additional architecture may be required •  Increased TCO, deployment times •  Identify these needs during development 45 10/27/12
#3 Always Validate •  The NoSQL injection attack surface is diverse –  Schema, query, and javascript injection attacks affect architectures differently. •  Understand how these attacks can affect your application and NoSQL environment •  Continue to validate for traditional (SQLi, XSS) and non-traditional injection (NoSQLi, SSJI) attacks. 46 10/27/12
#4 Work with Vendors •  Dynamic projects; quick release cycles •  If your NoSQL solution doesn't support the features you need, ask for them. •  Several of the shortcomings we have discussed today are “on the roadmap” 47 10/27/12
Thank you! I value your feedback Twitter: @willurbanski 48 10/27/12
Picture Credits •  14 – Red Bull •  15 – Flickr.com / ActiveGuy98 •  22 – Flickr.com / John Kannenberg •  22 – Flickr.com / Angelberries •  34 – mysecuritysign.com •  54 – Flickr.com / James Pullen 49 10/27/12

Recommended

NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?Wayne Huang
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation FrameworkFrancis Alexander
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 

Recommended

NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?Wayne Huang
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation FrameworkFrancis Alexander
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Lucidworks
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseMongoDB
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMUnderstanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMLucidworks
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewJames Bayer
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Andy Kucharski
 
RedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedis Labs
 
Caching in Windows Azure
Caching in Windows AzureCaching in Windows Azure
Caching in Windows AzureIdo Flatow
 
High Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIHigh Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIPayara
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?smalltown
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
 
My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14Mark Fletcher, ENP
 
Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content Pajama Program
 

More Related Content

What's hot

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Lucidworks
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseMongoDB
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMUnderstanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMLucidworks
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewJames Bayer
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Andy Kucharski
 
RedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedis Labs
 
Caching in Windows Azure
Caching in Windows AzureCaching in Windows Azure
Caching in Windows AzureIdo Flatow
 
High Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIHigh Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIPayara
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?smalltown
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
 

What's hot (20)

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMUnderstanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool Overview
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...
 
RedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis code
 
Caching in Windows Azure
Caching in Windows AzureCaching in Windows Azure
Caching in Windows Azure
 
High Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIHigh Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDI
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 

Viewers also liked

My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14Mark Fletcher, ENP
 
Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content Pajama Program
 
Dell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting PresentationDell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting PresentationErwin Carrow
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Network Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelNetwork Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelSkybox Security
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Hortonworks
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningDell EMC World
 
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached Dell EMC World
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: OverviewCloudera, Inc.
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
An Introduction to Accumulo
An Introduction to AccumuloAn Introduction to Accumulo
An Introduction to AccumuloDonald Miner
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistMatthew Rosenquist
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityMastel Indonesia
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 

Viewers also liked (19)

My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14
 
Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content
 
Dell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting PresentationDell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting Presentation
 
Presentacion BD NoSQL
Presentacion BD NoSQLPresentacion BD NoSQL
Presentacion BD NoSQL
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Network Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelNetwork Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next Level
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response Planning
 
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
An Introduction to Accumulo
An Introduction to AccumuloAn Introduction to Accumulo
An Introduction to Accumulo
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew Rosenquist
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 

Similar to NoSQL, no security?

MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldDave Stokes
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions Ivo Andreev
 
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon Web Services
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag JambhekarC* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag JambhekarDataStax Academy
 
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...Trivadis
 
Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011Gavin Heavyside
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architecturesMasashi Narumoto
 
NonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedNonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedFrans Jongma
 
Dropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL DatabasesDropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL DatabasesKyle Banerjee
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityChris Bell
 

Similar to NoSQL, no security? (20)

MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
 
mongodb_DS.pptx
mongodb_DS.pptxmongodb_DS.pptx
mongodb_DS.pptx
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
 
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
 
a
aa
a
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag JambhekarC* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
 
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
 
Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architectures
 
Revision
RevisionRevision
Revision
 
NonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedNonStop SQL/MX DBS Explained
NonStop SQL/MX DBS Explained
 
Ruby on-rails-security
Ruby on-rails-securityRuby on-rails-security
Ruby on-rails-security
 
Dropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL DatabasesDropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL Databases
 
Redis meetup
Redis meetupRedis meetup
Redis meetup
 
CDC to the Max!
CDC to the Max!CDC to the Max!
CDC to the Max!
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

NoSQL, no security?

  • 1. NoSQL, no security? Will Urbanski Vulnerability Management, Dell SecureWorks
  • 2. What we will cover today § Why look at NoSQL security? § Relational Database attack vectors § NoSQL attack vectors § Securing NoSQL deployments 2 10/27/12
  • 3. Why look at NoSQL security? 3 10/27/12
  • 4. NoSQL is popular •  Scalability •  Redundancy •  Flexibility •  Rapid development / deployment •  Cost 4 10/27/12
  • 5. “Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.” [redis.io] 5 10/27/12
  • 6. “The most effective way to reduce risk for MongoDB deployments is to run your entire MongoDB deployment, including all MongoDB components in a trusted environment” [mongodb.org] 6 10/27/12
  • 7. “When you start out fresh, CouchDB allows any request to be made by anyone. [..] it should be obvious that putting a default installation into the wild is adventurous. Any rogue client could come along and delete a database.” [guide.couchdb.org] 7 10/27/12
  • 8. 8 Confidential 10/27/12
  • 9. 9 Confidential 10/27/12
  • 10. Relational Databases (RDBMS) •  Relative Feature Parity •  Integrated Security Features –  Authorization –  Authentication –  Confidentiality 10 10/27/12
  • 11. RDBMS Attack Surfaces •  Software vulnerabilities •  Injection Attacks •  Credential brute forcing •  Privilege escalation –  Offline storage –  Authentication protocols •  Authorization weaknesses •  Insecure configurations –  MITM –  Replay attacks 11 10/27/12
  • 12. Does NoSQL mean “No Security”? 12 10/27/12
  • 13. Injection 13 10/27/12
  • 14. Injection Attacks •  Database diversity is increasing ›  Command-based queries ›  CQL ›  JSON ›  BSON ›  Javascript ›  Custom query languages •  Injection attack surface is increasing –  Query injection –  Schema injection –  Javascript injection •  Attack complexity is increasing 14 10/27/12
  • 15. Collections Tables Collections 15 10/27/12
  • 16. Schema Injection •  Allows an attacker to insert arbitrary key/value pairs into a document –  Attacker can also change the data type of a key •  Feasible when an application iterates POST values to create documents 16 10/27/12
  • 17. Schema Injection •  Schema injection can also be utilized to override existing fields. –  JSON object (replacement occurs in code) –  Query (replacement occurs on DB) •  Last key takes precedence over previous fields. 17 10/27/12
  • 18. Schema Injection •  If non user-specified attributes are included before POST is iterated, the client can inject or modify protected attributes. •  Think ‘HTTP Parameter Pollution’ 18 10/27/12
  • 19. Schema Injection Mitigation •  RDBs mitigate this through the use of strongly typed tables. •  Key enforcement –  Whitelist POST data values that can be added to the document ›  ‘email’, ‘firstName’, ‘lastName’ should always be set via POST. –  Blacklist application-managed keys ›  ‘is_admin’ can never be set via POST. •  Replace or concatenate –  When using native JSON objects, add application-managed keys after adding user inputs. –  When using strings, always concatenate application-managed keys. 19 10/27/12
  • 20. Query Injection •  There are safe and unsafe ways to build JSON queries. •  The good news is… –  Most languages that have implemented JSON-like dictionaries as native objects implement them safely. –  dict = {‘email’: email ,’password’: password} •  The bad news is… –  Strings still exist and can be abused to inject into queries on poorly written applications. –  dict= “{‘email’:’%s’,’password’:’%s’}” % (email, password) •  Language-specific constructs can also be abused –  PHP’s superglobals –  String to JSON conversion 20 10/27/12
  • 21. PHP’s Superglobals •  PHP automatically converts superglobal values to multidimensional arrays –  $_POST – for working with HTTP POST data –  $_GET – for working with HTTP GET data •  This is very handy when working with web forms –  <input type=“text” name=“person[name]” value=“”> –  Can be referenced via $_POST[‘person’][‘name’] •  PHP also uses arrays to represent MongoDB documents –  $user = array( ‘email' => ‘will@localhost', ‘password' => ‘mmmfrenchtoast', ‘date_created' => ‘2012-06-15’ ); 21 10/27/12
  • 22. PHP’s Superglobals •  Adversaries can weaponize superglobals by inserting MongoDB comparison operations in HTTP GET or POST keys –  forgot_password.php? email=will@localhost&security_question[$ne]=1 –  Array ( “email” => “will@localhost”, “security_question” => array(“$ne” => 1) ); •  Kudos to Bryan Sullivan @ Adobe for identifying and reporting this http://blogs.adobe.com/asset/files/2011/04/NoSQL-But-Even-Less-Security.pdf 22 10/27/12
  • 23. Javascript Injection (SSJI) •  Native Javascript support –  Supports Map/Reduce functionality –  Compensates for a lack of native SQL functions ›  Batch processing of collections ›  Aggregation •  Persistent or passed via client •  MongoDB and CouchDB application architectures –  db.eval() –  $where –  Temporary views 23 10/27/12
  • 24. Mitigating Injection Attacks •  Use safe string / JSON operations –  Escape input –  Avoid string concatenation when building queries –  Use native JSON-like objects when available •  Be careful when utilizing GET and POST variables –  Check for use of $operators –  Validate strings do not contain JSON •  Validate document schemas before writing to the database •  Identify and sanitize Javascript in application inputs –  Check for server-side Javascript injection on IPS/WAF, if applicable •  Ensure your defense in depth strategy is looking for these attacks 24 10/27/12
  • 25. Authentication 25 10/27/12
  • 26. Authentication •  Authentication issues: –  Weak authentication methods –  Weak password storage methods –  Password bruteforcing opportunities •  RDBMS –  Rich authentication support –  Account credentials are hashed when stored offline 26 10/27/12
  • 27. Local-only security model •  “When you start out fresh, CouchDB allows any request to be made by anyone. [..] Everybody has privileges to do anything. Neat.” [guide.couchdb.org] •  “If there are no admin users, one may access the database from the localhost interface without authenticating.” [mongodb.org] •  Limited security by default •  Localhost only •  Rapid development •  Ease of use •  Growing pains •  Authentication methods don’t always effectively scale beyond localhost 27 10/27/12
  • 28. Weak authentication methods 1.  HTTP/RESTful authentication 2.  Non-HTTP/RESTful authentication 28 10/27/12
  • 29. HTTP/RESTful authentication •  HTTP BASIC, DIGEST or Cookie-based auth •  May require a reverse proxy server –  Vulnerable to replay and MITM attacks –  Insecure if SSL/TLS/encryption is not implemented or compromised 29 10/27/12
  • 30. Non-HTTP/RESTful solutions •  Ideally would use a challenge-response authentication protocol •  Should be resistant to replay attacks •  Clear-text passwords should be avoided 30 10/27/12
  • 31. Weak password storage methods •  Passwords should never be stored in the clear –  Redis, CouchDB (some cases) •  Passwords should be hashed or encrypted –  Preferably with a secure hashing algorithm –  MongoDB ›  MD5(username + “:mongo:” + password) –  CouchDB ›  Salt is a randomly generated 128-bit UUID ›  PW = “-hashed-” + SHA1(password + salt) + “,” + salt •  Access to password storage should be limited 31 10/27/12
  • 32. Password bruteforcing •  Online password bruteforcing –  Redis’ AUTH commands are not rate limited or restricted in any way –  An attacker could repeatedly issue the AUTH command until the correct password was identified 32 10/27/12
  • 33. Authentication •  Authentication schemes vary widely depending on the NoSQL database being used •  Native authentication schemes are relatively weak –  Replay attacks –  Password bruteforcing –  Information leakage •  Pluggable authentication is generally not supported 33 10/27/12
  • 34. Authorization 34 10/27/12
  • 35. Authorization •  Specifies access rights to resources and operations within the database •  SQL’s Data Control Language (DCL) –  GRANT, REVOKE 35 10/27/12
  • 36. NoSQL Authorization •  Architecture dependent •  Per-database, not per-collection •  Generally course-grained 36 10/27/12
  • 37. Each architecture is different •  No corollary for SQL’s DCL •  Common authorization features: –  ADMIN role –  Differentiation between Read and Write –  Authorization not required until enabled 37 10/27/12
  • 38. Inventive Solutions •  Validation Functions •  Role-based Access Control –  User roles –  Security groups •  Command Renaming –  Authorization through obscurity 38 10/27/12
  • 39. Confidentiality 39 10/27/12
  • 40. Confidentiality •  Protect data at rest and in transit •  Confidentiality in transit –  SSL/TLS –  Mutually verifiable (key exchange) •  Confidentiality at rest –  Integrated cryptographic functionality –  Ability to encrypt data in the database –  Easy access to hashing functions 40 10/27/12
  • 41. NoSQL Confidentiality •  In transit –  Some SSL support –  HTTP/REST-based solutions generally recommend use of HTTPS reverse proxies –  Non-REST based solutions recommend the use of stunnel, VPNs, or a transport-layer encryption technology •  At rest •  Third party applications exist to provide advanced authorization and confidentiality functionality to existing databases 41 10/27/12
  • 42. Securing NoSQL 42 10/27/12
  • 43. Securing NoSQL •  Trusted operating environment –  Scoping –  Identifying ingress and egress •  Compliance Issues –  PCI •  Compensating Controls –  Architecture limitations 43 10/27/12
  • 44. #1 Understand your solution •  No two NoSQL solutions are the same –  Read the manual! •  Understand the environment –  Define “trusted environment” –  Understand ingress/egress •  Architecture –  Software –  Capabilities –  Controls •  Defense in Depth 44 10/27/12
  • 45. #2 Beware architecture creep •  Additional architecture may be required •  Increased TCO, deployment times •  Identify these needs during development 45 10/27/12
  • 46. #3 Always Validate •  The NoSQL injection attack surface is diverse –  Schema, query, and javascript injection attacks affect architectures differently. •  Understand how these attacks can affect your application and NoSQL environment •  Continue to validate for traditional (SQLi, XSS) and non-traditional injection (NoSQLi, SSJI) attacks. 46 10/27/12
  • 47. #4 Work with Vendors •  Dynamic projects; quick release cycles •  If your NoSQL solution doesn't support the features you need, ask for them. •  Several of the shortcomings we have discussed today are “on the roadmap” 47 10/27/12
  • 48. Thank you! I value your feedback Twitter: @willurbanski 48 10/27/12
  • 49. Picture Credits •  14 – Red Bull •  15 – Flickr.com / ActiveGuy98 •  22 – Flickr.com / John Kannenberg •  22 – Flickr.com / Angelberries •  34 – mysecuritysign.com •  54 – Flickr.com / James Pullen 49 10/27/12

Editor's Notes

  1. So what are the implications of Schema injection? Well for starters, there can be performance implications for the database. We can also do fun things like apply different data types to different keys in different rows. So our password in document #1 can be a string, while our password in document #2 could be an integer. Again, normally these constraints would be enforced by an application, but since they aren’t an attacker may be able to use this to their advantage, perhaps to bypass a login mechanism.To mitigate these attacks in a NoSQL environment we need to ensure that only valid keys are explicitly allowed into the database. Additional, unnecessary keys should be blocked or dropped. This is not an issue in the SQL world because the strongly typed table environment prevents any additional schemas from being added, and what benefit could you gain from creating extra, unused tables?And here’s the scary part, a lot of frameworks are already advocating or implementing code that simpy iterates over the post data. This is a Bad Idea™. From a penetration testers perspective, this is a gold mine.
  2. 10k passwords on a VM, in about 30 seconds.~ 1,000,000 passwords in a little under an hour