NoSQL, No Security? – Will Urbanski

[layerslider id=”2″]

Title: NoSQL, No Security?

Abstract

Serving as a scalable alternative to traditional relational databases (RDBs), NoSQL databases have exploded in popularity. NoSQL databases offer more efficient ways to work with large datasets, but serious security issues need to be addressed.
NoSQL databases can suffer from a variety of injection attacks. Most NoSQL databases can’t authenticate and authorize clients, and can’t provide role-based access controls or encryption. Because these controls do not exist, developers and administrators are forced to implement their own controls to compensate for these shortcomings. These compensating controls could become a problem for organizations that have compliance considerations and could make maintaining NoSQL more complex than simply deploying an enterprise relational database that features built-in security.
Because many NoSQL architectures lack encryption and authentication, an attacker could eavesdrop on the client-server communication and obtain private data. Additionally, NoSQL databases can suffer from a variety of injection attacks via Javascript and JSON. Traditional SQL injection countermeasures are not effective against these attacks, so developers must be aware of these threats and write code that attackers can’t penetrate.
In this presentation we’ll talk about how RDB security features and threats apply to NoSQL databases. We’ll also explore the security controls that are present in NoSQL architectures, and cover administrative, compliance and regulatory concerns associated with operating NoSQL architectures in environments that contain sensitive data.

*****
Speaker: Will Urbanski, Dell Secureworks

Will Urbanski, vulnerability engineer, Dell SecureWorks, guides large enterprises in initiating and administering vulnerability management programs within their corporate environments. Will also conducts penetration and vulnerability validation tests. An information security professional with more than seven years of industry experience, Will has been published in numerous journals, including IEEE Security & Privacy, and has co-authored a patent for an IPv6 moving target defense.

Previously, Will worked in research and in security operations roles at Virginia Polytechnic Institute and the University of Georgia. He holds a B.S. in Computer Science from the University of Georgia, and is certified as a PCI Approved Scanning Vendor, a GIAC Penetration Tester and a GIAC Web Application Penetration Tester.

*****
Date: Friday October 26, 2012 1:00pm – 1:45pm
Location:AppSecUSA, Austin, TX. Hyatt Regency Hotel, Checkmarx Room
Track: Architecture

Likes: 1

Viewed: 370

source
[amazon_link asins=’1118024303,1522021140,0198719795,1119240239,B01AS2T0ZA’ template=’ProductCarousel’ store=’digieboodown-21′ marketplace=’UK’ link_id=’5d5c766c-849a-11e7-bdc2-1b7420a1b569′]


Compliance ManualGet Our Best Selling Compliance Manual

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.