5 things people do to make Postgres

Vulnerable

2 Level Security in Postgres

• Authentication – Server, User, Database and Password

• Authorization – Access to table, data, objects

Software are not designed to be Hacked

• Convenient setup without “red-tape” bureaucracy of DBA

• “Best Practices” are not for me

• Why do I need to test dev/UAT/SIT/pre-production with hardened system?

• My ISV vendor certified Postgres on 9.4.5, it will not run on 9.4.6

Patching is not for me!

• My Postgres is working fine, why do I need this patch?

• My ISV certified Postgres on 9.4.1, what if application breaks by moving to 9.4.4?

• I upgraded OpenSSL and Linux, do I need to upgrade Postgres too?

Why added fencing with pg_hba?

• I trust all IP in my network, why do I need pg_hba.conf?

• I already have firewalls, why restrict hosts with pg_hba?

• Allow all user from all IP

host all all 0.0.0.0/0 md5

I need DBA/SUPERUSER privileges for all user

• My application needs a lot of privileges, looks like it needs a superuser

• I am tired of granting privileges one by one, let’s grant superuser

• In non-production environments, I can run with DBA user

I don’t need Auditing

• I have all the security constraints in place, then why audit?

• Auditing does not share much information

• Auditing is a huge overhead for performance and disk requirements

• Audit rules needs to be defined only once

It’s trouble to input the password multiple times

• As a DBA – ‘God of DB systems’ I need to login many times

• DB server can trust my IP address

• Only I use my machine

• My IP is never going to change or be reallocated

• My laptop password is simple, but who would try to hack it?

@sameerkasi200x

sameer.kumar@ashnik.com

www.ashnik.com