Three tips for hardening microservice database access (JavaZone 2022)
This week I had the privilege of holding a talk at the JavaZone conference in Oslo. The topic of the talk is three things to be aware of to ensure a secure configuration of your database connections when working with Spring Boot and PostgreSQL. As with all JavaZone talks a video has been posted online, that you can see below.
If you want to see the slides directly they are available for download at https://blog.sharebear.co.uk/JavaZone2022.pdf
The code examples used to demonstrate the issues and their solutions can be found at https://gitlab.com/sharebear/spring-postgresql-hardening/ some small improvements will be posted there during the next few days.
As I’m not very experienced with large audiences / video recording, I haven’t yet built up the habit of repeating questions during such presentations so I’ll do my best to reproduce the essense of the questions here.
In the code you didn’t actually revoke the permissions on the public schema, so you can still create the table by referencing the schema directly
I will be fixing this in the repository soon, keep an eye out for it.
What do you think about taking things even further, propagating the actual user’s identity into the database and using row level security.
PostgreSQL is known for it’s extensions and other mechanisms that can be used to, amongst other things, create a reverse shell. What kind of mitigations can be done against those?
As long as you have loaded the secret into memory, then as long as you have an RCE vulnerability such as log4shell, would it still be possible to extract the secret?
Can you show the URL to the slides again?
This was the second conference I had attempted to submit this talk to. I had also attempted CitusCon back in April which, as that is an Azure and PostgreSQL conference, explains some of the technology choices for the demo 😉