security Archives - 2ndQuadrant

Posts

How to Protect Your PostgreSQL Databases from Cyberattacks with SQL Firewall

March 11, 2020/2 Comments/in 2ndQuadrant, PostgreSQL, Sadeq's PlanetPostgreSQL /by Sadequl Hussain

In today’s world, organizations increasingly face an unprecedented level of threat of cyberattacks against their information assets. Cyberattacks can come in many forms. One such attack is called SQL injection. With SQL injection, rogue players target the backend database of any system. Usually, these systems are public-facing. Hackers try to send seemingly innocuous and regular […]

Setting SSL/TLS protocol versions with PostgreSQL 12

November 27, 2019/2 Comments/in 2ndQuadrant, Eisentraut's PlanetPostgreSQL, PostgreSQL /by Peter Eisentraut

PostgreSQL 12 contains two new server settings: ssl_min_protocol_version ssl_max_protocol_version As the names indicate, these are used to control the oldest (minimum) and newest (maximum) version of the SSL and TLS protocol family that the server will accept. (For historical reasons, in PostgreSQL, all settings related to SSL and TLS are named ssl_something, even though TLS […]

PostgreSQL with passphrase-protected SSL keys under systemd

February 6, 2019/3 Comments/in Eisentraut's PlanetPostgreSQL /by Peter Eisentraut

PostgreSQL supports SSL, and SSL private keys can be protected by a passphrase. Many people choose not to use passphrases with their SSL keys, and that’s perhaps fine. This blog post is about what happens when you do have a passphrase. If you have SSL enabled and a key with a passphrase and you start […]

Databases vs. encryption

December 5, 2018/10 Comments/in 2ndQuadrant, Tomas' PlanetPostgreSQL /by Tomas Vondra

Let’s assume you have some sensitive data, that you need to protect by encryption. It might be credit card numbers (the usual example), social security numbers, or pretty much anything you consider sensitive. It does not matter if the encryption is mandated by a standard like PCI DSS or if you just decided to encrypt […]

PG Phriday: Securing PgBouncer

April 20, 2018/0 Comments/in Shaun's PlanetPostgreSQL /by Shaun Thomas

We all love PgBouncer. It’s a great way to multiplex tens, hundreds, or even thousands of client connections to a small handful of Postgres sessions. What isn’t necessarily so endearing, is that it can’t pass authentication from itself to Postgres, as each Postgres session may exist before the connection to PgBouncer is established. Or can […]

Don’t be hard-headed… Harden your PostgreSQL database to ensure security

March 28, 2018/0 Comments/in 2ndQuadrant, Britt's Marketing /by Britt Cole

When it comes to database security, the risk is definitely not worth the reward. Being hard-headed about database security procedures can not only disrupt your business and cost you millions, but it can make irreparable damage to your customer relationship and public identity. How important is the security of your data to your organization Nearly […]

PostgreSQL Meltdown

January 10, 2018/0 Comments/in Simon's PlanetPostgreSQL /by Simon Riggs

Spectre and Meltdown have caused severe alarm in recent days. You may have read about up to 30% impact on PostgreSQL databases, which I believe to be overstated because of misunderstandings in the media. Let’s dig into this in more detail. TL;DR Summary: no PostgreSQL patch required, -7% performance hit In response to these new […]

Application users vs. Row Level Security

May 30, 2016/10 Comments/in 2ndQuadrant, PostgreSQL, Tomas' PlanetPostgreSQL /by Tomas Vondra

A few days ago I’ve blogged about the common issues with roles and privileges we discover during security reviews. Of course, PostgreSQL offers many advanced security-related features, one of them being Row Level Security (RLS), available since PostgreSQL 9.5. As 9.5 was released in January 2016 (so just a few months ago), RLS is fairly […]

Auditing Users and Roles in PostgreSQL

May 20, 2016/5 Comments/in 2ndQuadrant, PostgreSQL, Tomas' PlanetPostgreSQL /by Tomas Vondra

One of the services we offer are security reviews (or audits, if you want), covering a range of areas related to security. It may be a bit surprising, but a topic that often yields the most serious issues is roles and privileges. Perhaps the reason why roles and privileges are a frequent source of issues […]

Emulating row security in PostgreSQL 9.4

December 9, 2015/0 Comments/in Craig's PlanetPostgreSQL /by craig.ringer

PostgreSQL 9.5 adds declarative row security. You can declare policies on tables and have them enforced automatically – for example, allowing user joe to only see rows with the owner column equal to joe. This is a great feature, and it’s been a long time coming. It didn’t make it into PostgreSQL 9.4, but automatically […]