Friday, September 25, 2020
dbametrix
More
    Home Database News nosql Security Vulnerabilities

    nosql Security Vulnerabilities

    Article explain in detail of NoSQL database security challenges and how to find out Vulnerabilities.

    Security Vulnerabilities and Security challenges of NoSQL Database:

    Given the wide variety of NoSQL databases, it is necessary to pay attention to the generic weaknesses of these models and, in each particular case, apply the necessary measures in each particular implementation. Comparing with relational databases we can summarize the following security fields:

    Authentication:

    The strength of authentication is one of the battlefields where many NoSQL implementations show weakness. It is common to find that NoSQL databases incorporate credentials by default, or even no authentication required or disabled (for example, Redis). In many cases they are based on trusted environments rather than user authentication. Depending on the software it will always be a fundamental point to check.

    Data integrity:

    - Advertisement -
    dbametrix

    Following a philosophy where availability and performance prevail, data integrity is penalized. For this reason, it is necessary to frequently use complementary mechanisms outside the database engine to ensure integrity.

    Confidentiality and encryption in storage:

    In general, the data is stored in plain text and with few exceptions such as Cassandra and its Transparent data encryption technology, there are no built-in encryption mechanisms. In most cases, it is still necessary to delegate encryption to processes at the application layer or the file system itself.

    Data audit:

    Most NoSQL databases lack their own robust data auditing mechanisms, which are very important when detecting possible attacks by observing events on specific records as is done in relational databases.

    Communications security:

    The use of encryption and SSL protocol is common in relationship databases, on the other hand, in NoSQL systems it is generally disabled by default, it is optional (for example Cassandra), or a specific configuration is necessary in the installation (MongoDB).

    Classic database vulnerabilities: Even more injection:

    - Advertisement -
    dbametrix

    Finally, and emphasizing one of the most widely exploited aspects such as command injection, we must bear in mind that in NoSQL databases, requests and calls are executed by invoking the corresponding API formatted according to a common convention, usually JSON or XML. At this point, incorrect checking of input parameters can allow command execution when evaluated and handled in the corresponding API call. The injection possibilities and risks, when using an API with a procedural programming language, are even greater than in the case of relational databases where the typically declarative and much more limited sql language is used. NoSQL injection and javascript code are new vectors that broaden the attack surface on these databases

    NoSQL is increasingly present in current database technologies and faces great challenges to deal with security problems that sooner or later must reinforce.

    Consider Reading to these articles:

    - Advertisement -
    dbametrix

    1 COMMENT

    1. May be more vulnerabilities find out near future. I do not think any private telecom company prefers to switch on nosql. This is my thought. Anyway thanks for sharing nice detail article.

    Comments are closed.

    - Advertisment -
    dbametrix

    Most Popular

    ORA-01194: file 1 needs more recovery to be consistent

    The blog post explains how to restore and recover database using until cancel with error ORA-01194

    How to enable Archivelog

    This blog post explains how to enable archive log mode in Oracle database for newest versions.

    Shared vs Static Library Performance

    The article explains the benefits of a shared library and static library usage in application building for improving application performance.

    Migration methods of Oracle Database

    Blog post explains which tricks and methods are simple to perform migration of small and large Oracle database

    Recent Comments