5

Hopefully this isn't too broad.

I've got little experience with NoSQL databases, but I know that they are rising in popularity. As a developer that is extremely concerned with security, I'm wondering, in general, what the pros and cons are from a security perspective when it comes to using NoSQL databases.

For example, are they safe in general? Are they vulnerable to the same types of attacks that are a threat to traditional Relational databases? Are there new vulnerabilities associated with them that someone like me - with only relational DB experience - might never have heard of? And are there best practices/recommendations for NoSQL databases like those you can easily find for relational databases?

Luc
  • 31,973
  • 8
  • 71
  • 135
David Stratton
  • 2,646
  • 2
  • 20
  • 36
  • Great question! I edited the title from "non-relational" to "NoSQL". In your post you mentioned NoSQL specifically, but non-relational can also mean something like [Spanner](http://en.wikipedia.org/wiki/Spanner_(database)) or perhaps something that I don't know of. I assumed the change was okay, just revert my changes if it's not! Note that there is also a [NoSQL tag](http://security.stackexchange.com/questions/tagged/nosql). The questions tagged NoSQL seem to be specifically about MongoDB, so I think your question is not a duplicate. – Luc Jan 01 '13 at 20:08
  • I don't know. Now that I looked at the questions with that tag, it seems pretty close to http://security.stackexchange.com/questions/7610/how-to-secure-a-mongodb-instance The first answer certainly helps answer my question. I'll leave it up to the rest of the community to decide if my question should be closed as a dupe. – David Stratton Jan 01 '13 at 21:19

2 Answers2

2

NoSQL is vulnerable the same way SQL databases or LDAP databases are vulnerable like. When a language is used to program an application and you interface to a database, you will need to put information into the database.

The danger with any of the products is that a user can include code instead of information. This is not dependent on the type of database or language used.

When you get user-input you need to make sure that you sanitize it to prevent code inclusion from happening. The problem with NoSQL databases is that often there are not yet or not deeply enough tested API's for your language available. This means that you will need to write it yourself. This is dangerous as there might always be something you look over the head. I want to refer you to OWASP - Insecure Direct Object References

I know there have been concerns about, for instance MongoDB, on the standard authentication mechanism that is being used towards the database itself. This is more an issue of not exposing your database itself to untrusted sources directly. For instance this is as if you would allow a user of your website to directly connect to your MySQL database. While this may still have a great impact, the likelihood of getting your database compromised like this is low and does not depend on your webapplication.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
2

In general from what I've seen problems with NoSQL databases are somewhat different to standard SQL, generally as a result of their focus.

First up is that in general many NoSQL databases lack a lot of security features (e.g. fine grained authentication/authorisation). The websites of the products themselves will actually say that they are only designed to be accessed from "trusted environments" (e.g. redis, and mongodb).

How important their limitations are, would likely depend on what you want to use them for. So a standard web application may be ok (only one level of access needed and you can retrict access at an IP level to just the webserver), but a system designed for multiple users with different privileges to directly access the database would be problematic.

Secondly (and I accept this point could be seen as a bit FUD'y) there's maturity of the codebase. These products are all relatively new and have grown up quite quickly, so I'd expect that there has been less scrutiny on them from a security standpoint compared to engines like Oracle DBMS or MS SQL. Whilst both those DBs have had a lot of problems in the past, more recently (especially in the case of MS-SQL) they've had a pretty good security record.

The flip-side of this is that the codebases are a lot smaller and the products much simpler so there's less functionality to attack. Also as (AFAIK) they lack features like the ability to execute operating systems commands, there's potentially a lower impact of compromise than you might see with the big relational DBMS' which have huge ranges of functions available.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217