Attacking and Defending NoSQL

One of the first  paper on NoSQL security. Its  a great presentation  by Bryan Sullivan at the RSA conference, it introduces the main security issue of the NoSQL solutions such as:

  • NoSQL injection, just like SQL injection but manipulating the JSON string instead of the SQL query
  • Authentication is unsupported or discouraged  within NoSQL solution which is a big issue when combined with REST API
  • SSJS Injection aka Server-side JavaScript injection


RSA SecurID officially compromised

RSA Security is admitting being compromised and is about to replace *virtually* (1) every SecurID tokens: 40 million device. This is the result of the hacking, successful hacking of the company which occur early this year(in march).

The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt, this attack were based on data stolen from the RSA hack. Defense contractors Northrop Grumman and L-3 Communications are both rumored to have faced similar attacks, with claims that Northrop suspended all remote access to its network last week.

For the few hackers, holding the data from RSA, SecurID was rendered equivalent to basic password authentication ….

(1) “for virtually every customer we have,” the company’s Chairman Art Coviello said in an interview


The Wall Street Journal article