[Owasp-boston] Wed meeting description

Jim Weiler jim.weiler at owasp.org
Mon Sep 30 16:33:13 UTC 2013


Abusing NoSQL DatabasesMING CHOW LECTURER, TUFTS UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE

The days of selecting from a few SQL database options for an application
are over. There is now a plethora of NoSQL database options to choose from:
some are better than others for certain jobs. There are good reasons why
developers are choosing them over traditional SQL databases including
performance, scalabiltiy, and ease-of-use. Unfortunately like for many hot
techologies, security is largely an afterthought in NoSQL databases. This
short but concise presentation will illustrate how poor the quality of
security in many NoSQL database systems is. This presentation will not be
confined to one particular NoSQL database system. Two sets of security
issues will be discussed: those that affect all NoSQL database systems such
as defaults, authentication, encryption; and those that affect specific
NoSQL database systems such as MongoDB and CouchDB. The ideas that we now
have a complicated heterogeneous problem and that defense-in-depth is even
more necessary will be stressed. There is a common misconception that SQL
injection attacks are eliminated by using a NoSQL database system. While
specifically SQL injection is largely eliminated, injection attack vectors
have increased thanks to JavaScript and the flexibility of NoSQL databases.
This presentation will present and demo new classes of injection attacks.
Attendees should be familiar with JavaScript and JSON.

*Ming Chow* (@tufts_cs_mchow) is a Lecturer at the Tufts University
Department of Computer Science. His areas of work are in web and mobile
engineering and web security. He teaches courses largely in the
undergraduate curriculum including the second course in the major sequence,
Web Programming, Music Apps on the iPad, and Introduction to Computer
Security. He was also a web application developer for ten years at Harvard
University. Ming has spoken at numerous organizations and conferences
including the High Technology Crime Investigation Association - New England
Chapter (HTCIA-NE), the Massachusetts Office of the Attorney General (AGO),
John Hancock, OWASP, InfoSec World (2011 and 2012), DEF CON 19 (2011), the
Design Automation Conference (2011), Intel, and the SOURCE Conference
(Boston 2013). Ming's projects in information security include building
numerous CTF challenges, Internet investigations, HTML5 and JavaScript
security, and Android forensics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-boston/attachments/20130930/c27c72ce/attachment.html>


More information about the Owasp-boston mailing list