Tuesday, January 17, 2012

Does NoSQL Mean no Security ?

"We think the lack of security around NoSQL is going to take a toll on organizations," says Amichai Shulman, co-founder and CTO of Imperva.

"We'll see a lot more organizations starting or going into deployment of  NoSQL in the next year and we believe what they are going to find out after they put the data there is that there are some security issues they should have considered."

An alternative to the traditional relational database, NoSQL systems do not use the SQL language for queries and are schema-less systems that allows users to change data attributes on the fly.

These databases are known to scale well and offer performance advantages in transactional situations where a large amount of application users need to interact with the database in real-time, says James Phillips, co-founder and senior vice president of products for Couchbase, a NoSQL platform firm.

One of the big issues is that there would be very few users out there that would know how to implement them.
"Because practically everyone is new to NoSQL, the first thing they care about is to make it work," Shulman says. "And then don't touch it and we'll talk about security in two years or so."


One of the most possible attacks are the type of injection attacks that run rampant in the relational database world. Even though  NoSQL  doesn't use SQL as a query language doesn't mean it isn't subject to injection attacks, they warn.

"People say you can't do SQL injection but the principles are exactly the same, you just have to change the syntax of what you put in the form," Rothacker says. "Instead of SQL injection you have JavaScript injection or JSON injection."

And hackers are likely sharpening their claws in anticipation of attacking these databases. The unfortunate reality about securing immature technology is that it doesn't take nearly as much ramp up time to learn how to break a system as it does to learn how to secure it.

" So I think that hackers are going to be much faster into this than those in charge of deployments ," Shulman says. "Unfortunately it is easier to break things than to create them in a robust way and we've already seen some vulnerabilities published about  NoSQL technology, in particular one attack vector that is being discussed is JSON injections."

However, that shouldn't stop businesses from using   NoSQL, he says.

"I think that the decision is ultimately a business decision and if there is a business opportunity that can only be pursued using these new technologies then the business must take the risk," Shulman says. "But there are steps that can be taken to try and mitigate that risk."


fonte: sqlservercentral.com

No comments: