�ݺ�ߣ

NoSQL �C No
Security?
A way to lose even more stuff
Gavin Holt (@GavinHolt)

What we will cover today
What is Big Data?
What is NoSQL?
Why NoSQL Security is an issue
NoSQL Vulnerabilities
Securing NoSQL Installations

What is Big Data?
Datasets that are so large or complex that they are
difficult to process using traditional database
processing applications

2.5 quintillion bytes
(1followed by 18 zeros)
Data being generated every
day (IBM)

2.5 Petabytes
(1048576Gigabytes)
The total size of Walmarts
transaction database (The
Economist)

40 Terabytes per second
Data generated by
experiments on the LHC at
CERN
(The Economist)

72 Hours per Minute
Video uploaded to YouTube
(Google Inc.)

That is a lot of data!
Try running any of them in MS
Access

What is NoSQL?
��Not Only SQL��

Umbrella Term
Type of System �C Not a
Product

Not the Traditional Relational Model

Generally don��t use tables

Optimised for appends and retrieves
Do very little other than record
storage

Highly Scalable & Very Quick
This is all about speed and
size

Why use NoSQL?
Why the Big Data/NoSQL Hype?

Eventual Consistency
Delays in writing across nodes
slow down your application

User Updates Social Network
Social Network uses a load balancer

Writes don��t propagate immediately
Data is now inconsistent

Reading Stale Data
Users now being served old data from nodes that haven��t been updated

Amore serious example
Data needs to be propagated quickly �C NoSQL allows for that
Diagram from Adobe Security Labs

NoSQL Vulnerabilities
How do these compare to traditional databases?

The Developer
By Laziness or Ignorance

Little to no Authentication
��Trusted Environments��

Helpful isn��t always useful
Flattening associative arrays

MongoDB Example
http://example.com/login.php?username=admin&passwd=mysuperpassword

MongoDB Example
http://example.com/login.php?username=admin&passwd[$ne]=1

Server Side Javascript Injection

CSFR can be used to bypass firewalls
Diagram from Adobe Security Labs

POST is all an Attacker needs
Inserting Data
Inserting Script Data
Execute any REST command from inside the firewall

Securing NoSQL
One does not simply secure NoSQL </meme>

Sanitize Inputs
Don��t trust users (or other
systems!)

Be in control of your query building
Don��t simply concatenate user
input

Check how your solution works
Read the manual

All other SQL Best Practice
These aren��t different attack
vectors �C just new

Questions?
Twitter: @GavinHolt
LinkedIn: http://uk.linkedin.com/in/gavinholt/
Email: gavin@gavin-holt.com
Around all day �C Grab me for a chat.

NoSQL - No Security? - The BSides Edition