Ignoring app security for Big Data doesn’t make the problem go away.
In Part #1 of this series, I talked about the need for third party monitoring and control for Big Data deployments and why security professionals shouldn’t be surprised or alarmed that security isn’t built in.
But something security professionals should be alarmed by is a common misconception about the threat profile of operational Big Data applications. What I mean here is applications with web front ends (just like “regular” web apps), but with some sort of NoSQL back end like MongoDB or Cassandra or whatever. More than a few times, I’ve had smart IT people say “We don’t need a WAF for this application because it’s a NoSQL database and you can’t do SQL injection on NoSQL.” This misconception is both shocking to me and potentially very dangerous. If anything, I would be MORE concerned about the security risk to such an application than a vanilla old Web + transactional RDBMS.
First, SQL Injection, while one of the worst and most common web application threats, is far from the only thing to worry about. Unsafe object references (i.e. extracting from the data repository information based on an identifier that can be easily guessed), OS command injection and remote file inclusion are just a few of the vulnerabilities that affect any web application regardless of the back end data technology. Such vulnerabilities allow an attacker to obtain control of the web application server and abuse its connectivity to the back-end NoSQL repository for pilfering huge piles of sensitive business data.
Second, other types of injection besides SQL injection have essentially the same risk profile for NoSQL as SQL injection does for RDBMS. Actually, better stated, the same potential impact, but the risk profile is probably worse since NoSQL technologies as application back-ends are a still recently new to the Internet and there is no telling what type of injection they are vulnerable to and there is certainly less experience among programmers regarding how to securely connect applications to them. In this scenario, virtual patching becomes a crucial capability and that means WAF.
So, don’t fall prey to this misconception. Application security is a critical component for any online application regardless of whether the back end data store is Big or not.