Three tips for hardening microservice database access (JavaZone 2022)

On stage

This week I had the privilege of holding a talk at the JavaZone conference in Oslo. The topic of the talk is three things to be aware of to ensure a secure configuration of your database connections when working with Spring Boot and PostgreSQL. As with all JavaZone talks a video has been posted online, that you can see below.

Supporting materials

If you want to see the slides directly they are available for download at https://blog.sharebear.co.uk/JavaZone2022.pdf

The code examples used to demonstrate the issues and their solutions can be found at https://gitlab.com/sharebear/spring-postgresql-hardening/ some small improvements will be posted there during the next few days.

Audience questions

As I’m not very experienced with large audiences / video recording, I haven’t yet built up the habit of repeating questions during such presentations so I’ll do my best to reproduce the essense of the questions here.

@ 32:32

In the code you didn’t actually revoke the permissions on the public schema, so you can still create the table by referencing the schema directly

I will be fixing this in the repository soon, keep an eye out for it.

@ 33:30

What do you think about taking things even further, propagating the actual user’s identity into the database and using row level security.

@ 34:38

PostgreSQL is known for it’s extensions and other mechanisms that can be used to, amongst other things, create a reverse shell. What kind of mitigations can be done against those?

@ 35:42

As long as you have loaded the secret into memory, then as long as you have an RCE vulnerability such as log4shell, would it still be possible to extract the secret?

@ 36:50

Can you show the URL to the slides again?

Fun fact

This was the second conference I had attempted to submit this talk to. I had also attempted CitusCon back in April which, as that is an Azure and PostgreSQL conference, explains some of the technology choices for the demo 😉