(Im)proper Database Authentication

Presented at BSidesLV 2019, Aug. 7, 2019, noon (25 minutes)

Most databases worth mentioning include authentication and authorization capabilities.

However, devils emerge in the details when edge cases of these capabilities are investigated.

We'll see that popular databases (e.g. MySQL, PostgreSQL, Cassandra, MongoDB …) can have unexpected and sometimes unintended auth behavior.

This includes a fresh authentication vulnerability.

Ideal auth behaviors, with regard to security, will be reviewed.

Then we'll demo how popular databases stack up against them.

Attendees will walk away knowing which auth properties to look for when including a database in their tech stack.

Presenters:

• Mitch Wasson
  Mitch Wasson is currently working as a software engineer on Cisco's Advanced Malware Protection (AMP) for Endpoints data engineering team. Aside from merging bugs into master, he creates detection platforms and middleware that support millions of endpoints. Mitch also holds a master's degree in computer engineering from the University of Toronto. Outside of tech, he enjoys most winter sports - like skiing in the Canadian Rockies.