NoSQL, no security?

Presented at AppSec USA 2012, Oct. 26, 2012, 1 p.m. (45 minutes)

Serving as a scalable alternative to traditional relational databases (RDBs), NoSQL databases have exploded in popularity. NoSQL databases offer more efficient ways to work with large datasets, but serious security issues need to be addressed. NoSQL databases can suffer from a variety of injection attacks. Most NoSQL databases can't authenticate and authorize clients, and can't provide role-based access controls or encryption. Because these controls do not exist, developers and administrators are forced to implement their own controls to compensate for these shortcomings. These compensating controls could become a problem for organizations that have compliance considerations and could make maintaining NoSQL more complex than simply deploying an enterprise relational database that features built-in security. Because many NoSQL architectures lack encryption and authentication, an attacker could eavesdrop on the client-server communication and obtain private data. Additionally, NoSQL databases can suffer from a variety of injection attacks via Javascript and JSON. Traditional SQL injection countermeasures are not effective against these attacks, so developers must be aware of these threats and write code that attackers can't penetrate. In this presentation we'll talk about how RDB security features and threats apply to NoSQL databases. We'll also explore the security controls that are present in NoSQL architectures, and cover administrative, compliance and regulatory concerns associated with operating NoSQL architectures in environments that contain sensitive data.

Presenters:

• Will Urbanski
  Will Urbanski is a security researcher who tracks vulnerability and malware trends. He has experience in both research and security operations in enterprise and higher education environments. Will is the co-author of a patent for an IPv6 moving target defense. He has more than eight years of experience in Information Security and has written articles for numerous journals, including IEEE Security & Privacy. Will holds a Bachelor of Science in Computer Science from the University of Georgia. He is certified as a GIAC Penetration Tester, a GIAC Web Application Penetration Tester, and a GIAC Exploit Researcher and Developer.

Links:

• https://appsecusa2012.sched.com/event/150mFS8/nosql-no-security
• https://infocon.org/cons/OWASP/AppSecUSA 2012/NoSQL, No Security.mp4

Similar Presentations:

• DEF CON 18 (2010) / NoSQL == No SQL injections?
• AppSec USA 2017 / NoSQL Is Not NoVulnerable
• DEF CON 21 (2013) / Abusing NoSQL Databases