NoSQL Means No Security?

A presentation at BSides Stuttgart in in Quellenstraße 7a, 70376 Stuttgart, Germany by Philipp Krenn

New systems are always interesting targets since their security model couldn’t mature yet. NoSQLdatabases are no exception and had some bad press about their security, but how does theirprotection actually look like? We will take a look at three widely used systems and their uniqueapproaches:

  • MongoDB: Widely criticized for publicly accessible databases and a common victim of ransomware.Actually, it provides an elaborate authentication and authorization system, which we will cover from ahistoric perspective and put an emphasis on the current state.
  • Redis: Security through obscurity or how you can rename commands. And it features a uniquetradeoff for binding to publicly accessible interfaces.
  • Elasticsearch: Groovy scripting has been a constant headache, but the new, custom-built scriptinglanguage Painless tries to take the pain away literally.

Buzz and feedback

Here’s what was said about this presentation on Twitter.