Earlier this month Michael A. Davis wrote for Information Week that NoSQL equals “no security,” echoing Alex Popescu’s musing last month that for many NoSQL projects, security is an after thought.

According to Davis: “In our InformationWeek 2012 Big Data Survey of business technology professionals managing a minimum of 10 TB of data, we asked about a dozen management priorities. Robust security came in eighth, selected by just 17% of respondents.” Davis finds this particularly scary since financial transactions were respondents primary big data need.

Davis focuses on the security short comings of MongoDB, such as the lack of SSL in anything but the commercial version, and concludes:

So, yes, the NoSQL world has gone mad, and that’s because the big data show is being run by developers, not architects or even system administrators. These developers clearly don’t realize that 14% of all breaches last year were caused by compromised database servers.

It’s a classic DevOps problem: the things developers are concerned with are not always inline with operations staff’s concerns because developers have typically not had to worry as much about these issues.

As I’ve written before I don’t think the problem is unique to NoSQL – it’s a an issue that all open source projects and startups need to consider. For example, although Davis praises Web application development frameworks like Ruby on Rails for their built in security features, it was a Rails security gotcha that lead to that serious Github SNAFU earlier this year. Davis has a number of tactical suggestions, but there remains a big cultural divide that needs to be bridged between developers and operational security. In the case of Rails, it wasn’t an unknown security flaw that allowed Egor Homokov to commit code to a project he wasn’t authorized to – it was a well known design decision that had been routinely ignored by the Rails team.

My suggestions:

1) AppSec experts should be brought into a project as early as possible.
2) More developers should spend their time becoming AppSec experts instead spending it developing me-too flavor of the week apps.

There is a good news on this front though – the top comment the Hacker News thread by on Davis’ post comes from Zephyr Pellerin, creator of the very new NoSQL database Artifact. Pellerin pokes some holes in the tactics Davis suggests and notes that because NoSQL databases use safe query strings they have a big security advantage over MySQL databases. Davis has a response to Pellerin’s comment that’s worth reading as well. But most importantly, Pellerin is a vulnerability researcher who building a new open source project from the ground up. That’s refreshing.

Photo by Anonymous Account