Sign in / up

back to article AWS security exec: You don't want to win this database popularity contest

If there was ever an area where default passwords reign and basic security hygiene is terrible, it's databases.  "Databases are hard to manage, and people have taken the easy path: given lots of people admin privileges and hardcoded database credentials into their software," says Mark Ryland, a director in Amazon Web Services …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. An_Old_Dog Silver badge
    Holmes

    The Easy Path was Taken: Why?

    "Databases are hard to manage, and people have taken the easy path: given lots of people admin privileges and hardcoded database credentials into their software," says Mark Ryland

    [database security is] an area that requires better "education, better technology, and better automation," he told The Register

    I agree many people have taken the easy path. What I question: how many of those db admins and coders took the easy path because they were ignorant, had lacked sufficiently-good technology, and had lacked sufficiently-good automation, and how many of them took the easy path because their supervisors grossly overscheduled them?

    (Icon for "Hmm...")

    3 1 Reply

    1. This post has been deleted by its author

      1. unimaginative Bronze badge
        Reply Icon

        Re: The Easy Path was Taken: Why?

        That is probably true of most areas of security, and of maintainability.

        Short termism is a problem too. You need to spend money now, but nothing might go wrong for a few years, by which time the manager making the decision has moved on.

        1 0 Reply
    2. ChoHag Silver badge
      Reply Icon

      Re: The Easy Path was Taken: Why?

      > Databases are hard to manage

      They are not, they just require actual management.

      What databases are not is sexy. Databases are boring (which is why DevOpses keep rediscovering them). Nobody wants to manage them so they don't, but hard? Give me a break.

      > I agree many people have taken the easy path. What I question: how many of those db admins and coders took the easy path because they were ignorant, had lacked sufficiently-good technology, and had lacked sufficiently-good automation, and how many of them took the easy path because their supervisors grossly overscheduled them?

      Nobody gains brownie points from doing the invisible work to keep the database up.

      1 1 Reply
      1. James Anderson
        Reply Icon

        Re: The Easy Path was Taken: Why?

        However security is difficult.

        Security design and architecture requires someone with a deep understanding of the underlying software, the maths of cryptography and the nature of the numerous and various threats. These people tend to “absent minded professor” personality type. They don’t have the patience to explain simple concepts to lessor mortals like managers and are averse to admin.

        Effective administration of security requires someone pig headed, with OCD levels of attention to detail and a religious veneration of the rules.

        I between they need a management that appreciates the long term benefits of a good security setup is worth the short term cost.

        Very few organisations manage collets all three winning cards.

        0 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: The Easy Path was Taken: Why?

          I appreciate the sentiment, but surely defining who has access to what tables isn’t that hard to?

          What am I saying? I’ve seen dozens of bad implementations…

          1 2 Reply
        2. MJB7
          Reply Icon

          Re: The Easy Path was Taken: Why?

          Security is difficult, but the one thing you _don't_ need in your list is "an understanding of the maths of cryptograph" (let alone a deep understanding). What you _do_ need, is to understand what promises a cryptographic primitive makes and what promises it _doesn't_ make.

          As an example, I know almost nothing about AES or 3DES beyond "stick a secret and a key in here, magic happens, and ciphertext appears out here". However I _do_ know that these only promise that an attacker cannot determine the secret given the ciphertext. What they don't promise is that the attacker can't modify the ciphertext in a way which modifies the secret. For that, you need an AEAD scheme like AES-GCM or AES-CBC + HMAC.

          1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like