What MongoDB Can Tell Us About Security Awareness


In recent weeks Bitcoin has risen to prices not seen since late 2013. Coincidently, there have been a number of ongoing attacks targeting insecure deployments of various open source database technologies (such as Mongo DB) . Is there a connection?

Hacking groups are leveraging open source intelligence techniques (that is, intelligence collected from publicly available sources, not related to open source software) to identify targets and then either copy, destroy or encrypt data. From the victim’s standpoint, they’re left with a database containing nothing except ransom instructions – usually in the form of Bitcoin payment – with no guarantee of restoration of their data. 

Not only are these deployments being exploited in the wild but various toolkits specifically designed to programmatically target and acquire weak deployments are being sold online. Tools such as SHODAN demonstrate a target-rich environment of vulnerable databases.

Experience NOT Required

While we should always assume that experienced hackers are a threat, advanced skills are not a prerequisite for these attacks. Given the accessibility of toolkits, target intelligence and ease of exploitation, the range of actors capable of the attacks is expanding. Non-targeted attacks, those based on opportunism instead of a specific agenda, will become more prevalent, motivated solely by monetary gain.

It’s Not Always About Coding Errors

The latest spate of ransomware attacks on MongoDB and other open source databases are not due to insecure technologies or an insecure development process. Instead, attackers are exploiting human error - weak security configurations of the database during integration and deployment.

MongoDB and similar free and open source databases offer several engineering advantages, including higher throughput, scalability and agility, which align themselves well with the increasing demands of agile development. Similar to traditional database technologies, these systems need to be configured securely to ensure data privacy.

The increasing demand for rapid feature delivery and tighter deadlines results in security being de-prioritized or becoming a task for tomorrow. As I have found in various scenarios, culture plays a fundamental role in maintaining a proactive security posture. Security awareness should be a core aspect of development and not something to be reviewed at a later date.

Thankfully, a number of FOSS databases have responded to these attacks, adopting a “secure by default” stance. This enables security features by default and improves awareness around implementation of product features designed to protect and secure confidential data.

Security Isn’t Accidental

Security is cultural. It needs to be driven from management downwards and to be seen as a necessity instead of an afterthought or speed-bump in the way of progress. 

Secure by default should be adopted by every piece of software, both FOSS and closed source. Regular backups should be mandatory when dealing with production data. Secure coding is only one part of the equation. Security requires a full-time security mindset.

White Paper: Open Source Security & Agile Development


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


CVE-2017-7494: Dancing with the Samba Vulnerability

| May 26, 2017

Samba is an open source SMB/CIFS implementation that allows interoperability between Linux and Windows hosts via file and print sharing. A remote code execution vulnerability has been discovered in versions 3.5.0 onwards that may allow an attacker to upload and execute code as the root user. To

| MORE >

Learning About The 5 Levels Of Open Source Security At Black Hat

| Aug 5, 2016

At Black Hat 2016 I had the pleasure of attending a briefing presented by Jake Kouns of Risk Based Security and Christine Gadsby of Blackberry. Their presentation titled: “OSS Security Maturity: Time to Put On Your Big Boy Pants” explored the definition of OSS (Open Source Software) and the usage

| MORE >