NoSQL - No Security? - The BSides Edition
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

NoSQL - No Security? - The BSides Edition

  • 545 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
545
On Slideshare
535
From Embeds
10
Number of Embeds
3

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 10

http://www.linkedin.com 6
https://twitter.com 2
https://www.linkedin.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • What is Big Data and why it is distinct from average sized DataWhat NoSQL Actually isWhy the issue of NoSQL Security should be important to DevelopersNoSQL Attack VectorsHow to secure NoSQL Deployments
  • Buzzword
  • Traditional Relational solutions not appropriate for this magnitude of Data
  • Attacker compromised a user of the application using a CSFR, They execute the command on the DB on the Attackers behalf
  • Post crap data into the databasePost Script data into the database – give yourself access to moreFull control, bypassing the firewall as you are using a trusted client

Transcript

  • 1. NoSQL – NoSecurity?A way to lose even more stuffGavin Holt (@GavinHolt)
  • 2. What we will cover todayWhat is Big Data?What is NoSQL?Why NoSQL Security is an issueNoSQL VulnerabilitiesSecuring NoSQL Installations
  • 3. What is Big Data?Datasets that are so large or complex that they aredifficult to process using traditional databaseprocessing applications
  • 4. 2.5 quintillion bytes(1followed by 18 zeros)Data being generated everyday (IBM)
  • 5. 2.5 Petabytes(1048576Gigabytes)The total size of Walmartstransaction database (TheEconomist)
  • 6. 40 Terabytes per secondData generated byexperiments on the LHC atCERN(The Economist)
  • 7. 72 Hours per MinuteVideo uploaded to YouTube(Google Inc.)
  • 8. That is a lot of data!Try running any of them in MSAccess
  • 9. What is NoSQL?“Not Only SQL”
  • 10. Umbrella TermType of System – Not aProduct
  • 11. Not the Traditional Relational Model
  • 12. Generally don’t use tables
  • 13. Optimised for appends and retrievesDo very little other than recordstorage
  • 14. Highly Scalable & Very QuickThis is all about speed andsize
  • 15. Why use NoSQL?Why the Big Data/NoSQL Hype?
  • 16. Eventual ConsistencyDelays in writing across nodesslow down your application
  • 17. User Updates Social NetworkSocial Network uses a load balancer
  • 18. Writes don’t propagate immediatelyData is now inconsistent
  • 19. Reading Stale DataUsers now being served old data from nodes that haven’t been updated
  • 20. Amore serious exampleData needs to be propagated quickly – NoSQL allows for thatDiagram from Adobe Security Labs
  • 21. NoSQL VulnerabilitiesHow do these compare to traditional databases?
  • 22. The DeveloperBy Laziness or Ignorance
  • 23. Little to no Authentication“Trusted Environments”
  • 24. NoSQL Injection
  • 25. Helpful isn’t always usefulFlattening associative arrays
  • 26. MongoDB Examplehttp://example.com/login.php?username=admin&passwd=mysuperpassword
  • 27. MongoDB Examplehttp://example.com/login.php?username=admin&passwd[$ne]=1
  • 28. MongoDB Examplehttp://example.com/login.php?username=admin&passwd[$ne]=1
  • 29. MongoDB ExampleMYSQL NOSQL
  • 30. MongoDB ExampleMYSQL NOSQL
  • 31. Server Side Javascript Injection
  • 32. Server Side Javascript Injection
  • 33. Server Side Javascript Injection
  • 34. Server Side Javascript Injection
  • 35. Server Side Javascript Injection
  • 36. Server Side Javascript Injection
  • 37. Example of an Attack
  • 38. CSFR can be used to bypass firewallsDiagram from Adobe Security Labs
  • 39. POST is all an Attacker needsInserting DataInserting Script DataExecute any REST command from inside the firewall
  • 40. Securing NoSQLOne does not simply secure NoSQL </meme>
  • 41. Sanitize InputsDon’t trust users (or othersystems!)
  • 42. Be in control of your query buildingDon’t simply concatenate userinput
  • 43. Check how your solution worksRead the manual
  • 44. All other SQL Best PracticeThese aren’t different attackvectors – just new
  • 45. Questions?Twitter: @GavinHoltLinkedIn: http://uk.linkedin.com/in/gavinholt/Email: gavin@gavin-holt.comAround all day – Grab me for a chat.
  • 46. NoSQL – NoSecurity?A way to lose even more stuffGavin Holt (@GavinHolt)