Threats for No-SQL Databases
Security in NoSQL databases is very weak, Authentication and Encryption is almost nonexistence or is very weak when implemented. The following are security issues associated with NoSQL databases:
- Administrative user or authentication is not enabled by default.
- It has a very weak password storage
- Client communicates with server via plaintext(MongoDB)
- Cannot use external encryption tools like LDAP, Kerberos etc
- Lack of encryption support for the data files
- Weak authentication both between client and the servers
- Vulnerability to SQL injection
- Denial of service attacks.
- Data at rest is Unencrypted.
- The Available encryption solution isn’t production ready
- Encryption isn’t available for client communication.
Securing NoSQL databases
NoSQL data stores are basically vulnerable to the same security risks as traditional RDBMS data stores, so the usual best practises for storing sensitive data should be applied when developing a NoSQL-based application. These include:
- Encrypting sensitive database fields;
- Keeping unencrypted values in a sandboxed environment;
- Using sufficient input validation;
- Applying strong user authentication policies.
Securing the Database against SQL Injection
SQL injection is a type of injection attack. Injection attacks occur when maliciously crafted inputs are submitted by an attacker, causing an application to perform an unintended action. Because of the ubiquity of SQL databases, SQL injection is one of the most common types of attack on the internet.
Risks of SQL Injection:
- Extract sensitive information, like Social Security numbers, or credit card details.
- Enumerate the authentication details of users registered on a website, so these logins can be used in attacks on other sites.
- Delete data or drop tables, corrupting the database, and making the website unusable.
- Inject further malicious code to be executed when users visit the site.
Of course, it would be ideal if there were an accepted standard for authentication, authorisation and encryption in the yet-to-mature NoSQL space. Until such a standardised consensus can be reached, the best approach is to look at security in the middleware layer, rather than on the cluster level, as most middleware software comes with ready-made support for authentication, authorisation and access control. For example, if Java is being used, then the JAAS, Oracle Corp[embeddoc url=”https://startuppitamah.com/wp-content/uploads/2019/12/Blackhat-europe-09-Damele-SQLInjection-slides.pdf” download=”all”]