March 30, 2013 at 11:49 am
Comments posted to this topic are about the item NoSQL: Are you ready to compromise with security
Best wishes,
Phil Factor
March 30, 2013 at 12:06 pm
The general conclusion "NoSQL is insecure" which the author is trying to make hardly follows from the mentioned facts.
They say a concrete product, MongoDB, has alarming security flaws? That might be true.
But does it mean EVERY NoSQL database is insecure in principle and by design? No, it doesn't.
March 31, 2013 at 3:10 am
I'm sorry if I gave the impression of saying that all NoSQL products are insecure, or even that it is a general case. NoSQL is a very broad marketing category for a diverse range of products. The article I quoted at the start had a rather provocative title, but only evaluated two products, and gave, by implication, the idea that this was a general case. Some 'NoSQL' products have full transactionality and some have a high standard of security.
What I was trying to say was that, if you are having to select a database for a particular use, it would be wise to check that it actually has those features of security and data integrity that are important for the company you work for, or the users of your application. You can't just assume that they are there. There has been no technical breakthrough to doing all that hard boring stuff
Best wishes,
Phil Factor
April 1, 2013 at 7:08 am
Interesting editorial.
I recall working someplace where physical security was thought to be an adequate means of hardening our servers to attack. That is, only authorized users could gain entry into a locked Server room. Of course, anyone outside of management knew that this was false because of the fact that the Servers were connected to a network.
That was a VERY long time ago, but does indicate how poor security can be simply by "securing everything around" a Server or Database. Many lessons have been learned since a locked server room was thought to be "enough".
Better to have multiple layers of security that have to be traversed rather than putting all your eggs in a single basket (Happy Easter! No Fooling).
Regards, Irish
April 3, 2013 at 8:29 am
You don't necessarily have to set tcp / udp ports up to be publically accessible, for that matter if you care about your internet'in, you could have a box set to specifically answer clients coming from the public net, and do the heavy lifting elsewhere. Anybody not completely sure of their internet facing machines and what ports are in use needs to go back and check this aspect of their setup, end of story. Title would be better phrased as "internet server administrators should do their homework."
For your single box installations, you could possibly do something along these lines, or maybe just rent space on wordpress dot com 😉
http://stackoverflow.com/questions/4961177/how-to-listen-only-to-localhost-on-mongodb
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply