Assessing the vulnerabilities and securing MongoDB and Cassandra databases

Due to the increasing amounts and the different kinds of data that need to be stored in the databases, companies, and organizations are rapidly adopting NoSQL databases to compete. These databases were not designed with security as a priority. NoSQL open-source software was primarily developed to handle unstructured data for the purpose of business intelligence and decision support. Over the years, security features have been added to these databases but they are not as robust as they should be, and there is a scope for improvement as the sophistication of the hackers has been increasing. Moreover, the schema-less design of these databases makes it more difficult to implement traditional RDBMS like security features in these databases. Two popular NoSQL databases are MongoDB and Apache Cassandra. Although there is a lot of research related to security vulnerabilities and suggestions to improve the security of NoSQL databases, this research focusses specifically on MongoDB and Cassandra databases. This study aims to identify and analyze all the security vulnerabilities that MongoDB and Cassandra databases have that are specific to them and come up with a step-by-step guide that can help organizations to secure their data stored in these databases. This is very important because the design and vulnerabilities of each NoSQL database are different from one another and hence require security recommendations that are specific to them

Review of performance of various Big Databases

Relational databases have been the main model for information data storage, retrieval and administration.A relational database is a table-based data system where there is no scalability, insignificant information duplication, computationally costly table joins and trouble in managing complex information. The greatest inspiration of NoSQL is adaptability. NoSQL information stores are broadly used to store and recover potentially a lot of information.In this paper, we assess four most famous NoSQL databases: Cassandra, MongoDB, and CouchDB

An Analysis of Successful SQLIA for Future Evolutionary Prediction

Web applications are a fundamental component of the internet, many interact with backend databases. Securing web applications and their databases from hackers should be a top priority for cybersecurity researchers. Structured Query Language (SQL) injection attacks (SQLIA) constitute a significant threat to web applications. They can hijack the backend databases to steal personally identifiable information (PII), initiate scams, or launch more sophisticated cyberattacks. SQLIA has evolved since its conception in the early 2000s and will continue to do so in the coming years. This paper analyzes past literature and successful SQLIA from specific time periods to identify themes and methods used by security researchers and hackers. By extrapolating and interpreting the themes of both literature and effective SQLIA, trends can be identified, and a clearer understanding of the future of SQL injection can be defined to improve cybersecurity best practices

Evaluation of Web vulnerability scanners based on OWASP benchmark

Web applications have become an integral part of everyday life, but many of these applications are deployed with critical vulnerabilities that can be fatally exploited. Web Vulnerability scanners have been widely adopted for the detection of vulnerabilities in web applications by checking through the applications with the attackers’ perspectives. However, studies have shown that vulnerability scanners perform differently on detection of vulnerabilities. Furthermore, the effectiveness of some of these scanners has become questionable due to the ever-growing cyber-attacks that have been exploiting undetected vulnerabilities in some web applications. To evaluate the effectiveness of these scanners, people often run these scanners against a benchmark web application with known vulnerabilities. This thesis first presents our results on the effectiveness of two popular web vulnerability scanners based on the OWASP benchmark, which is a benchmark developed by OWASP (Open Web Application Security Project), a prestigious non-profit web security organization. The two scanners chosen in this thesis are OWASP Zed Attack Proxy (OWASP ZAP) and Arachni. As there are many categories of web vulnerabilities and we cannot evaluate the scanner performance on all of them due to time limitation, we pick the following four major vulnerability categories in our thesis: Command Injection, Cross-Site Scripting (XSS), Light Weight Access Protocol (LDAP) Injection, and SQL Injection. Moreover, we compare our results on scanner effectiveness from the OWASP benchmark with the existing results from Web Application Vulnerability Security Evaluation Project (WAVSEP) benchmark, another popular benchmark used to evaluate scanner effectiveness. We are the first to make this comparison between these two benchmarks in literature. The results mainly show that: - Scanners perform differently in different vulnerability categories. That is, no scanner can serve as the all-rounder in scanning web vulnerabilities. - The benchmarks also demonstrate different capabilities in reflecting the effectiveness of scanners in different vulnerability categories. It is recommended to combine the results from different benchmarks to determine the effectiveness of a scanner. - Regarding scanner effectiveness, OWASP ZAP performs the best in CMDI, SQLI, and XSS; Arachni performs the best in LDAP. - Regarding benchmark capability, OWASP benchmark outperforms WAVSEP benchmark in all the examined categories

Efficient Queries in MongoDB with Encrypted Fields

Στην παρούσα πτυχιακή εργασία παρουσιάζουμε αποδοτικές τεχνικές εισαγωγής δεδο- μένων και εκτέλεσης ερωτημάτων (queries) σε μια μη σχεσιακή βάση δεδομένων (Non Relational Database), δίνοντας την επιλογή στον χρήστη να κρυπτογραφήσει κάποια από τα πεδία της εγγραφής που εισάγει. Ασχοληθήκαμε με τον Java Driver μιας μη σχεσιακής βάσης και πιο συγκεκριμένα της MongoDB, τροποποιώντας κάποιες ήδη υπάρχουσες συναρτήσεις του και ενισχύοντάς τον με δικές μας συναρτήσεις προκειμένου να πετύ- χουμε την κρυπτογράφηση (encryption) των δεδομένων. Με τις αλλαγές που πραγμα- τοποιήσαμε, υποστηρίζεται πλέον η εισαγωγή εγγραφών στη βάση οι οποίες περιέχουν κρυπτογραφημένα πεδία (encrypted fields). Συγκεκριμένα, έχουν υλοποιηθεί δύο τρόποι κρυπτογράφησης: κρυπτογράφηση με χρήση SHA-256[1] και BCrypt[2] κρυπτογράφηση. Η SHA-256 (Secure Hash Algorithm μήκους 256 bits) βασίζεται σε πολλαπλούς “γύρους” κατακερματισμού (hashing). Η BCrypt επίσης βασίζεται σε hashing συνάρτηση, προσδί- δοντας όμως μεγαλύτερη ασφάλεια λόγω της salt προσθήκης, ένα τυχαίο δεδομένο που χρησιμοποιείται κατά την παραγωγή της κρυπτογραφημένης εξόδου των δεδομένων. Για την κρυπτογράφηση των πεδίων με τις δύο παραπάνω μεθόδους έχουν αξιοποιηθεί οι βι- βλιοθήκες DigestUtils[3] και ΒCryptPasswordEncoder[4] του Spring για την SHA-256 και την BCrypt αντίστοιχα. Σκοπός της παρούσας πτυχιακής, λοιπόν, αποτελεί η χρονική με- λέτη των εισαγωγών και της εκτέλεσης ερωτημάτων πάνω στη NoSQL βάση, σε σύγκριση με τον απλό Java Driver που δεν χρησιμοποιεί κρυπτογράφηση. Αρχικά, παρατίθεται και αναλύεται ο αλγόριθμος που χρησιμοποιήθηκε για την αποδο- τική εισαγωγή των δεδομένων με χρήση της SHA-256 κρυπτογράφησης στα επιλεγόμενα πεδία μιας εισαγωγής. Βασικό στοιχείο της υλοποίησης είναι το ότι δίνεται η δυνατότητα καθορισμού από τον χρήστη των συγκεκριμένων πεδίων που επιθυμεί να εμφανίζονται στη βάση κρυπτογραφημένα. Επιπλέον, μελετάται ο αλγόριθμος που αναπτύχθηκε για την αποδοτική αναζήτηση στη βάση των εγγραφών οι οποίες περιέχουν κρυπτογραφη- μένα πεδία και αναλύεται ο τρόπος υλοποίησής του, που είχε ως αποτέλεσμα οι χρόνοι εισαγωγής και αναζήτησης με ταυτόχρονη ύπαρξη κρυπτογραφημένων πεδίων να αντα- γωνίζονται αυτούς του ήδη υπάρχοντος Java Driver. Στη συνέχεια, παρουσιάζεται ο αλγόριθμος για την εισαγωγή των δεδομένων με χρήση BCrypt κρυπτογράφησης στα επιλεγόμενα πεδία μιας εγγραφής. Δίνεται η δυνατότητα προσδιορισμού των συγκεκριμένων πεδίων, που θα είναι κρυπτογραφημένα. Παρακάτω, προβάλλεται ο αποδοτικότερος αλγόριθμος για την εφαρμογή ερωτημάτων πάνω στη βάση για αυτόν τον τρόπο κρυπτογράφησης και αναλύονται οι παράγοντες διαφοροποίη- σής του από τον προαναφερθέν. Ακολούθως, παρατίθονται χρονικές μετρήσεις τόσο απλών, βασικών ερωτημάτων, αλλά και πιο πολύπλοκων ερωτημάτων όπως για παράδειγμα με χρήση ενσωματωμένων πε- δίων (embedded fields). Γίνεται σύγκριση των αποτελεσμάτων τόσο μεταξύ των δύο πα- ραπάνω τρόπων προσέγγισης σε ό,τι αφορά τους χρόνους εισαγωγής και αναζήτησης εγγραφών στη βάση, όσο και μεταξύ της υλοποίησης με κρυπτογραφημένα πεδία και του αρχικού, ευρέως διαδεδομένου, Mongo Driver που δεν υποστηρίζει επερωτήσεις σε κρυ- πτογραφημένα πεδία. Παράλληλα, γίνεται ανάλυση των trade-offs σε κάθε περίπτωση.In this thesis, we present efficient techniques for inserting data and running queries over a non-relational database, giving the user the option to encrypt certain fields, the ones they want, of the document they insert. We worked on the Java Driver of a non-relational database, more specifically the MongoDB, by modifying some of its existing functions and enhancing it with our own functions in order to achieve encryption of the data. With the changes we made to the Java Driver, our application now supports the insertion of documents containing encrypted fields and gives the user the ability to run queries even about the encrypted fields. In particular, two encryption modes have been implemented: encryption using SHA-256 and BCrypt encryption. The SHA-256 (256-bit Secure Hash Algorithm) is based on multiple “rounds” of hashing. BCrypt also relies on a hashing function, but considered to be a more secure algorithm due to the addition salt, a random data used in the production of the encrypted data output. In order to encrypt the fields with the two encryption types we mentioned before, we have utilized the libraries DigestUtils [3] and BcryptPasswordEncoder[4] from Spring for SHA-256 and BCrypt encryption respectively. The main purpose of this thesis is to study the efficiency of inserting data and running queries on a NoSQL database, with the data containing encrypted fields, compared to the simple Java Driver that does not support encryption. First, the algorithm used in order to efficiently insert documents into the database using the SHA-256 encryption on the requested fields is quoted and analyzed. A key element of the implementation is that we provide the user with the ability to define the specific fields they want to appear on the database as encrypted fields. In addition to this, the algorithm developed in order to achieve efficient querying on the database for document fields that are encrypted, and its implementation is analyzed. The algorithm we developed resulted in having an insertion time with encryption and a querying process time (with the data being encrypted) that competes with the time the existing Java Driver needs to complete those processes. Then, the algorithm used in order to support BCrypt encryption is presented and analyzed. Again, the user is able to specify the fields they want to encrypt with the BCrypt algorithm. Below, the most efficient algorithm for querying the base for this encryption mode is shown and the factors that make it different from the SHA-256 are analyzed. Subsequently, time measurements of both simple, basic queries and more complicated queries, such as using embedded fields, are presented. The results are compared in two ways: firstly, there is the comparison between the two encryption methods, SHA-256 and BCrypt, and secondly, the comparison between our approach and the existing insert, find etc methods of Mongo Driver library. At the same time, trade-offs are analyzed in each case

A Mobile and web based application for security intelligence gathering - a case study of Nairobi County

Thesis submitted in partial fulfillment of the requirements for the Degree of Masters of Science in Mobile Telecommunications and Innovation at Strathmore UniversityThe security situation in Kenya has deteriorated over time due to the low number of police personnel in the country which is currently at a population ratio of 1:1150. Security challenges have increased from mere theft to carjacking attacks and to more serious and evolved challenges like murder and terrorism. The government’s efforts towards reducing these crimes have been ineffective as there are no mechanisms for gathering intelligence at low levels. Intelligence gathering especially from the public is very essential in tackling matters to do with insecurity. This research proposes a simple, convenient and efficient solution to the security challenges that Kenya is currently facing with respect to systematic gathering of intelligence and its analysis by the use of a mobile and web based application. The mobile based solution will integrate the use of GPS location services and ensure that it uses machine learning by using predictive models produced from Multiclass Decision Forest Algorithm, and to be able to provide detailed descriptive statistical analysis, text mining analysis of criminal activity taking place, as well as prediction analysis to predict crime patterns. The solution has an administrative web-based backend that will be accessed by the police force to ensure they get detailed information of criminal activities. From this portal, tests were done by entering information regarding suspicious person, potential suspicious person names associated with the submitted information are provided together with relevant scores to depict the most likely accurate name

A modern approach for Threat Modelling in agile environments: redesigning the process in a SaaS company

Dealing with security aspects has become one of the priorities for companies operating in every sector. In the software industry building security requires being proactive and preventive by incorporating requirements right from the ideation and design of the product. Threat modelling has been consistently proven as one of the most effective and rewarding security activities in doing that, being able to uncover threats and vulnerabilities before they are even introduced into the codebase. Numerous approaches to conduct such exercise have been proposed over time, however, most of them can not be adopted in intricate corporate environments with multiple development teams. This is clear by analysing the case of Company Z, which introduced a well-documented process in 2019 but scalability, governance and knowledge issues blocked a widespread adoption. The main goal of the Thesis was to overcome these problems by designing a novel threat modelling approach, able to fit the company’s Agile environment and capable of closing the current gaps. As a result, a complete description of the redefined workflow and a structured set of suggestions was proposed. The solution is flexible enough to be adopted in multiple different contexts while meeting the requirements of Company Z. Achieving this result was possible only by analysing the industry’s best practices and solutions, understanding the current process, identifying the pain points, and gathering feedback from stakeholders. The solution proposed includes, alongside the new threat modelling process, a comprehensive method for evaluating and verifying the effectiveness of the proposed solution

The Construction of a Static Source Code Scanner Focused on SQL Injection Vulnerabilties in Java

SQL injection attacks are a significant threat to web application security, allowing attackers to execute arbitrary SQL commands and gain unauthorized access to sensitive data. Static source code analysis is a widely used technique to identify security vulnerabilities in software, including SQL injection attacks. However, existing static source code scanners often produce false positives and require a high level of expertise to use effectively. This thesis presents the design and implementation of a static source code scanner for SQL injection vulnerabilities in Java queries. The scanner uses a combination of pattern matching and data flow analysis to detect SQL injection vulnerabilities in code. The scanner identifies vulnerable code by analyzing method calls, expressions, and variable declarations to detect potential vulnerabilities. To evaluate the scanner, malicious SQL code is manually injected in queries to test the scanner\u27s ability to detect vulnerabilities. The results showed that the scanner could identify a high percentage of SQL injection vulnerabilities. The limitations of the scanner include the inability to detect runtime user input validation and the reliance on predefined patterns and heuristics to identify vulnerabilities. Despite these limitations, the scanner provides a useful tool for junior developers to identify and address SQL injection vulnerabilities in their code. This thesis presents a static source code scanner that can effectively detect SQL injection vulnerabilities in Java web applications. The scanner\u27s design and implementation provide a useful contribution to the field of software security, and future work could focus on improving the scanner\u27s precision and addressing its limitations

Digital Forensics Investigation Frameworks for Cloud Computing and Internet of Things

Rapid growth in Cloud computing and Internet of Things (IoT) introduces new vulnerabilities that can be exploited to mount cyber-attacks. Digital forensics investigation is commonly used to find the culprit and help expose the vulnerabilities. Traditional digital forensics tools and methods are unsuitable for use in these technologies. Therefore, new digital forensics investigation frameworks and methodologies are required. This research develops frameworks and methods for digital forensics investigations in cloud and IoT platforms