Agile, DevOps and continuous delivery have revolutionized software development. But how are they impacting database security? Do they make those challenges harder or easier?
To share a business-friendly flyover of today’s top database security concerns, database expert Robert Buda, President at Buda Consulting, joined a recent episode of The Virtual CISO Podcast. Hosting the show as usual is John Verry, Pivot Point Security’s CISO and Managing Partner.
What you get out of your pipeline depends on what you put in, and that extends to database security.
“If you go all-in and really do c in a robust manner, I think it could make [database security] better,” Bob reflects. “But the way many people do CI/CD in a partial manner could make it a bigger problem.”
“If you really configure robust regression testing into your CI/CD pipeline… I know that utopia there is that every time you make a change, it’s pushed out and completely regression tested, and it can be rolled back if something fails,” clarifies Bob. “I don’t think that ideal is always achieved. But if it is, and if we could build vulnerability testing into that regression test, then I think we could achieve greater database security.”
But what Bob more often sees is that the regression testing used does not perform as well as human testers from a security perspective.
“So, I think we could end up with bigger holes, or holes that we miss,” cautions Bob.
Parallels to infrastructure as code
John relates that Bob’s thoughts on DevOps parallel what he’s seen with infrastructure as code: “If you have a really robust implementation, you’re putting out some hammering environments that when we review them, they’re great. But if people are stretched for time, if people don’t have all of the knowledge that they need, if they’re not staying current on the newest switches and capabilities that Amazon or Microsoft introduce… Your code needs to adjust to stay where it was.”
Or, as John jokes, “The only thing worse than bad security is a false sense of security.”
The more logic in the database the better
John questions whether the API-centricity of many modern applications has reduced the number of stored procedures being used within databases. Does the segregation of application logic and access logic cause security problems?
“A lot of stored procedures are still being used,” replies Bob. “Maybe this is because I’m a database guy, and I’m biased toward using the database for all it can do. But I feel better when I see more logic in the database because it’s more controllable. There are access privileges you can grant to a specific stored procedure, so you can lock down who can run a process.”
“I’ve always seen everything outside the database as the wild west, and everything inside the database as a controlled environment,” remarks Bob. “So, I’d rather keep database logic—especially database logic that might present a vulnerability—in a controlled environment.”
When you’re ready to hear the whole episode with database consultant Bob Buda, click here.
Need to shrink the gap between security and software development in your org? Give this podcast episode a listen: EP#74 – Harshil Parikh – Bridging the Gap Between Security & Development Teams