Databases Reference
In-Depth Information
An injection attack occurs when a malicious user adds code to an input field in a
web form to directly control your database. For example, a
SQL
injection attack might
run a
SQL
query within a search field string to get a listing of all users of the system.
Protecting NoSQL systems is no different; all input fields that have public access, such
as search forms, should be filtered to remove invalid query strings before processing.
Each public interface must have filters that remove any invalid queries to your system.
Preventing these types of attacks isn't usually the job of your database. This kind of
task is the responsibility of your front-end application or firewall. But the libraries and
code samples for each database should have examples to show you how to prevent
these types of attacks.
This concludes our discussion on security requirements. Now we'll look at three
case studies: security in practice for one key-value store, one column family store, and
one document store.
11.3
Case Study: access controls on key-value store—
Amazon S3
Amazon Simple Storage Service (
S3
) is a web-based service that lets you store your
data in the cloud. From time to time our customers ask, “Aren't you worried about
security in the cloud? How can you make sure your data is secure?”
Authentication mechanisms are important to make sure your data is secure from
unwanted access. Industries such as health insurance, government agencies, or regula-
tions (like
HIPAA
) require you to keep your customer's data private and secure, or
face repercussions.
In
S3
, data such as images, files, or documents (known as objects) is securely stored
in buckets, and only bucket/object owners are allowed access. In order to access an
object, you must use the Amazon
API
with the appropriate call and credentials to
retrieve an object.
To access an object, you must first build a signature string with the date,
GET
request, bucket name, and object name (see the following listing).
Listing 11.2
XQuery code for creating a string to sign using your AWS credentials
let $nl := " "
(: the newline character :)
let $date := aws-utils:http-date()
let $string-to-sign := concat('GET', $nl, $nl, $nl, $nl,
'x-amz-date:', $date, $nl, '/', $bucket, '/', $object)
Once the signature string is built, the signature and your
S3
secret key are encrypted,
as shown in the following listing.
Listing 11.3
XQuery for signing a string with AWS secret key and
hmac()
let $signature := crypto:hmac($string-to-sign, $s3-secret-key,
"SHA-1", "base64")
